ZyXEL Communications ZyWALL 70, User Manual

Page 1: ...ZyWALL 70 Internet Security Appliance User s Guide Version 3 64 3 2005 ...

Page 2: ......

Page 3: ...XEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to ...

Page 4: ...io communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet ...

Page 5: ...m or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrical gas or water pipes will be damaged Do NOT install nor use your device during a thunderstorm There may be a remote risk of electric shock from lightning Do NOT expose your device to dampness dust or co...

Page 6: ...y an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of...

Page 7: ...j 5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel fr 33 0 4 72 52 97 97 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France 33 0 4 72 52 19 20 GERMANY support zyxel de 49 2405 6909 0 www zyxel de ZyXEL Deutsc...

Page 8: ...XEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 8702 909091 ftp zyxel co uk a is the prefix number you enter to make an international telephone call METHOD LOCATION SUPPORT E MAIL TELEPHONEA WEB SITE REGULAR MAIL SALES E MAIL FAX FTP SITE ...

Page 9: ...ysical Features 51 1 3 Applications for the ZyWALL 56 1 3 1 Secure Broadband Internet Access via Cable or DSL Modem 56 1 3 2 VPN Application 56 1 3 3 Front Panel LEDs 57 Chapter 2 Introducing the Web Configurator 59 2 1 Web Configurator Overview 59 2 2 Accessing the ZyWALL Web Configurator 59 2 3 Resetting the ZyWALL 60 2 3 1 Procedure To Use The Reset Button 61 2 3 2 Uploading a Configuration Fil...

Page 10: ...3 IPSec Setting IKE Phase 2 87 3 3 4 VPN Status Summary 88 3 3 5 VPN Wizard Setup Complete 91 Chapter 4 LAN Screens 93 4 1 LAN Overview 93 4 2 DHCP Setup 93 4 2 1 IP Pool Setup 93 4 3 LAN TCP IP 93 4 3 1 Factory LAN Defaults 93 4 3 2 IP Address and Subnet Mask 94 4 3 3 RIP Setup 94 4 3 4 Multicast 95 4 4 DNS Servers 95 4 5 Configuring LAN 95 4 6 Configuring Static DHCP 98 4 7 Configuring IP Alias ...

Page 11: ...Supplicants 114 6 12 Configuring Wireless LAN 115 6 12 1 Static WEP 117 6 12 2 WPA PSK 119 6 12 3 WPA 120 6 12 4 802 1x Dynamic WEP 121 6 12 5 802 1x Static WEP 123 6 12 6 802 1x No WEP 124 6 12 7 No Access 802 1x Static WEP 126 6 12 8 No Access 802 1x No WEP 127 6 13 Configuring MAC Filter 127 6 13 1 EAP Authentication Overview 129 Chapter 7 WAN Screens 131 7 1 WAN Overview 131 7 2 Multiple WAN 1...

Page 12: ...nfiguring Advanced Modem Setup 158 Chapter 8 DMZ Screens 161 8 1 DMZ Overview 161 8 2 Configuring DMZ 161 8 3 Configuring IP Alias 163 8 4 DMZ Public IP Address Example 165 8 5 DMZ Private and Public IP Address Example 165 Chapter 9 Firewalls 167 9 1 Firewall Overview 167 9 2 Types of Firewalls 167 9 2 1 Packet Filtering Firewalls 167 9 2 2 Application level Firewalls 167 9 2 3 Stateful Inspection...

Page 13: ...elds For Configuring Rules 181 10 3 3 1 Action 181 10 3 3 2 Service 181 10 3 3 3 Source Address 181 10 3 3 4 Destination Address 181 10 4 Connection Direction Examples 181 10 4 1 LAN To WAN Rules 182 10 4 2 WAN To LAN Rules 182 10 5 Alerts 183 10 6 Configuring Firewall 183 10 6 1 Rule Summary 186 10 6 2 Configuring Firewall Rules 187 10 6 3 Configuring Custom Services 190 10 7 Example Firewall Rul...

Page 14: ... Your ZyXEL Device 220 12 4 Content Filtering Registration 223 12 5 Checking Content Filtering Activation 225 12 6 Updating Product Registration Information 226 12 7 Viewing Content Filtering Reports 226 12 8 Configuration File 228 Chapter 13 Introduction to IPSec 229 13 1 VPN Overview 229 13 1 1 IPSec 229 13 1 2 Security Association 229 13 1 3 Other Terminology 229 13 1 3 1 Encryption 229 13 1 3 ...

Page 15: ...fect Forward Secrecy PFS 242 14 9 X Auth Extended Authentication 242 14 9 1 Authentication Server 242 14 10 Icons Key 243 14 11 IPSec Fields Summary 243 14 12 IKE VPN Rule Summary Screen 244 14 12 1 Configuring an IKE Gateway Policy 245 14 12 2 Configuring an IKE Network Policy 251 14 12 2 1 Associating a Network Policy to a Gateway Policy 255 14 13 Manual VPN Rule Summary Screen 256 14 13 1 Editi...

Page 16: ...tificate Details 287 15 16 Directory Servers 290 15 17 Add or Edit a Directory Server 291 Chapter 16 Authentication Server 293 16 1 Authentication Server Overview 293 16 1 1 Local User Database 293 16 1 2 RADIUS 293 16 2 Configuring Local User Database 293 16 3 Configuring RADIUS 295 Chapter 17 Network Address Translation NAT 297 17 1 NAT Overview 297 17 1 1 NAT Definitions 297 17 1 2 What NAT Doe...

Page 17: ...2 Bandwidth Classes and Filters 325 20 3 Proportional Bandwidth Allocation 326 20 4 Application based Bandwidth Management 326 20 5 Subnet based Bandwidth Management 326 20 6 Application and Subnet based Bandwidth Management 326 20 7 Scheduler 327 20 7 1 Priority based Scheduler 327 20 7 2 Fairness based Scheduler 327 20 8 Maximize Bandwidth Usage 327 20 8 1 Reserving Bandwidth for Non Bandwidth C...

Page 18: ... DYNDNS Wildcard 350 21 10 2 High Availability 350 21 11 Configuring Dynamic DNS 350 Chapter 22 Remote Management 353 22 1 Remote Management Overview 353 22 1 1 Remote Management Limitations 353 22 1 2 Remote Management and NAT 354 22 1 3 System Timeout 354 22 2 Introduction to HTTPS 354 22 3 Configuring WWW 355 22 4 HTTPS Example 357 22 4 1 Internet Explorer Warning Messages 357 22 4 2 Netscape N...

Page 19: ...autions with UPnP 377 23 2 UPnP and ZyXEL 378 23 3 Configuring UPnP 378 23 4 Displaying UPnP Port Mapping 379 23 5 Installing UPnP in Windows Example 380 23 5 1 Installing UPnP in Windows Me 381 23 5 2 Installing UPnP in Windows XP 382 23 6 Using UPnP in Windows XP Example 382 23 6 1 Auto discover Your UPnP enabled Network Device 383 23 6 2 Web Configurator Easy Access 384 Chapter 24 Logs Screens ...

Page 20: ... 10 3 Back to Factory Defaults 412 25 11 Restart Screen 412 Chapter 26 Introducing the SMT 415 26 1 Introduction to the SMT 415 26 2 Accessing the SMT via the Console Port 415 26 2 1 Initial Screen 415 26 2 2 Entering the Password 416 26 3 Navigating the SMT Interface 416 26 3 1 Main Menu 417 26 3 2 SMT Menus Overview 419 26 4 Changing the System Password 421 26 5 Resetting the ZyWALL 422 Chapter ...

Page 21: ...less LAN Setup 445 29 5 1 MAC Address Filter Setup 447 Chapter 30 Internet Access 449 30 1 Introduction to Internet Access Setup 449 30 2 Ethernet Encapsulation 449 30 3 Configuring the PPTP Client 451 30 4 Configuring the PPPoE Client 451 30 5 Basic Setup Complete 452 Chapter 31 DMZ Setup 453 31 1 Configuring DMZ Setup 453 31 2 DMZ Port Filter Setup 453 31 3 TCP IP Setup 453 31 3 1 IP Address 454...

Page 22: ...tup 475 35 2 1 Address Mapping Sets 476 35 2 1 1 SUA Address Mapping Set 476 35 2 1 2 User Defined Address Mapping Sets 477 35 2 1 3 Ordering Your Rules 478 35 3 Configuring a Server behind NAT 480 35 4 General NAT Examples 483 35 4 1 Internet Access Only 483 35 4 2 Example 2 Internet Access with an Default Server 485 35 4 3 Example 3 Multiple Public IP Addresses With Inside Servers 485 35 4 4 Exa...

Page 23: ... 1 Introduction to System Status 511 39 2 System Status 511 39 3 System Information and Console Port Speed 513 39 3 1 System Information 513 39 3 2 Console Port Speed 514 39 4 Log and Trace 515 39 4 1 Viewing Error Log 515 39 4 2 Syslog Logging 516 39 4 3 Call Triggering Packet 519 39 5 Diagnostic 519 39 5 1 WAN DHCP 520 Chapter 40 Firmware and Configuration File Maintenance 523 40 1 Introduction ...

Page 24: ...535 40 5 8 Uploading Firmware File Via Console Port 535 40 5 9 Example Xmodem Firmware Upload Using HyperTerminal 536 40 5 10 Uploading Configuration File Via Console Port 536 40 5 11 Example Xmodem Configuration Upload Using HyperTerminal 537 Chapter 41 System Maintenance Menus 8 to 10 539 41 1 Command Interpreter Mode 539 41 1 1 Command Syntax 539 41 1 2 Command Usage 540 41 2 Call Control Suppo...

Page 25: ...ems Accessing the ZyWALL 565 45 5 1 Pop up Windows JavaScripts and Java Permissions 566 45 5 1 1 Internet Explorer Pop up Blockers 566 45 5 1 2 JavaScripts 569 45 5 1 3 Java Permissions 571 Appendix A Product Specifications 575 Appendix B Removing and Installing a Fuse 581 Appendix C Setting up Your Computer s IP Address 583 Appendix D IP Subnetting 595 Appendix E PPPoE 603 Appendix F PPTP 605 App...

Page 26: ... Appendix L Command Interpreter 657 Appendix M Firewall Commands 659 Appendix N NetBIOS Filter Commands 665 Appendix O Certificates Commands 669 Appendix P Brute Force Password Guessing Protection 673 Appendix Q Boot Commands 675 Appendix R Log Descriptions 677 Index 697 ...

Page 27: ...ulation 79 Figure 16 Internet Access Wizard Setup Complete 81 Figure 17 VPN Wizard Gateway Setting 82 Figure 18 VPN Wizard Network Setting 83 Figure 19 VPN Wizard IKE Tunnel Setting 85 Figure 20 VPN Wizard IPSec Setting 87 Figure 21 VPN Wizard VPN Status 89 Figure 22 VPN Wizard Setup Complete 91 Figure 23 LAN 96 Figure 24 Static DHCP 98 Figure 25 Physical Network Partitioned Logical Networks 99 Fi...

Page 28: ...56 Advanced Setup 159 Figure 57 DMZ 162 Figure 58 DMZ IP Alias 164 Figure 59 DMZ Public Address Example 165 Figure 60 DMZ Private and Public Address Example 166 Figure 61 ZyWALL Firewall Application 169 Figure 62 Three Way Handshake 170 Figure 63 SYN Flood 171 Figure 64 Smurf Attack 172 Figure 65 Stateful Inspection 174 Figure 66 LAN to WAN Traffic 182 Figure 67 WAN to LAN Traffic 183 Figure 68 De...

Page 29: ...ent Filtering Reports Main Screen 227 Figure 102 Global Report Screen Example 228 Figure 103 Requested URLs Example 228 Figure 104 Encryption and Decryption 230 Figure 105 IPSec Architecture 231 Figure 106 Transport and Tunnel Mode IPSec Encapsulation 232 Figure 107 NAT Router Between IPSec Routers 238 Figure 108 Two Phases to Set Up the IPSec SA 240 Figure 109 Gateway and Network Policies 244 Fig...

Page 30: ... Servers Behind NAT Example 308 Figure 145 Port Translation Example 309 Figure 146 Port Forwarding 310 Figure 147 Trigger Port Forwarding Process Example 311 Figure 148 Port Triggering 312 Figure 149 Example of Static Routing Topology 315 Figure 150 IP Static Route 316 Figure 151 Edit IP Static Route 317 Figure 152 Policy Route Summary 320 Figure 153 Edit IP Policy Route 322 Figure 154 Subnet base...

Page 31: ... Configuration on a TCP IP Network 367 Figure 185 Telnet 368 Figure 186 FTP 369 Figure 187 SNMP Management Model 370 Figure 188 SNMP 372 Figure 189 DNS 373 Figure 190 CNM 374 Figure 191 Configuring UPnP 378 Figure 192 UPnP Ports 379 Figure 193 View Log 388 Figure 194 Log Settings 390 Figure 195 Reports 393 Figure 196 Web Site Hits Report Example 394 Figure 197 Protocol Port Report Example 395 Figu...

Page 32: ...mote Node Profile Backup ISP 433 Figure 231 Menu 11 3 1 Remote Node PPP Options 435 Figure 232 Menu 11 3 2 Remote Node Network Layer Options 436 Figure 233 Menu 11 3 3 Remote Node Script 438 Figure 234 Menu 11 3 4 Remote Node Filter 439 Figure 235 Menu 3 LAN Setup 441 Figure 236 Menu 3 1 LAN Port Filter Setup 442 Figure 237 Menu 3 TCP IP and DHCP Setup 442 Figure 238 Menu 3 2 TCP IP and DHCP Ether...

Page 33: ... Individual Rule in a Set 479 Figure 270 Menu 15 2 NAT Server Sets 481 Figure 271 Menu 15 2 1 NAT Server Sets 481 Figure 272 15 2 1 2 NAT Server Configuration 482 Figure 273 Menu 15 2 1 NAT Server Setup 483 Figure 274 Server Behind NAT Example 483 Figure 275 NAT Example 1 484 Figure 276 Menu 4 Internet Access NAT Example 484 Figure 277 NAT Example 2 485 Figure 278 Menu 15 2 1 Specifying an Inside ...

Page 34: ...24 4 System Maintenance Diagnostic 520 Figure 315 WAN LAN DHCP 520 Figure 316 Telnet into Menu 24 5 525 Figure 317 FTP Session Example 526 Figure 318 System Maintenance Backup Configuration 528 Figure 319 System Maintenance Starting Xmodem Download Screen 528 Figure 320 Backup Configuration Example 529 Figure 321 Successful Backup Confirmation Screen 529 Figure 322 Telnet into Menu 24 6 530 Figure...

Page 35: ... Figure 359 Security Settings Java 572 Figure 360 Java Sun 573 Figure 361 WLAN Card Installation 579 Figure 362 Console Dial Backup Port Pin Layout 579 Figure 363 Ethernet Cable Pin Assignments 580 Figure 364 WIndows 95 98 Me Network Configuration 584 Figure 365 Windows 95 98 Me TCP IP Properties IP Address 585 Figure 366 Windows 95 98 Me TCP IP Properties DNS Configuration 586 Figure 367 Windows ...

Page 36: ... Figure 402 Branch Office VPN Rule 637 Figure 403 Headquarters Network Policy Edit 638 Figure 404 Branch Office Network Policy Edit 639 Figure 405 VPN Rule Configured 640 Figure 406 VPN Dial 640 Figure 407 VPN Tunnel Established 640 Figure 408 VPN Log Example 642 Figure 409 IKE IPSec Debug Example 643 Figure 410 Security Certificate 645 Figure 411 Login Screen 646 Figure 412 Certificate General In...

Page 37: ...ure 426 Access the ZyWALL Via HTTPS 654 Figure 427 SSL Client Authentication 655 Figure 428 ZyWALL Secure Login Screen 655 Figure 429 Option to Enter Debug Mode 675 Figure 430 Boot Module Commands 676 Figure 431 Displaying Log Categories Example 693 Figure 432 Displaying Log Parameters Example 694 ...

Page 38: ...ZyWALL 70 User s Guide 38 List of Figures ...

Page 39: ...83 Table 15 VPN Wizard IKE Tunnel Setting 85 Table 16 VPN Wizard IPSec Setting 87 Table 17 VPN Wizard VPN Status 89 Table 18 LAN 96 Table 19 Static DHCP 98 Table 20 IP Alias 100 Table 21 STP Path Costs 104 Table 22 STP Port States 105 Table 23 Bridge 106 Table 24 Wireless Security Relational Matrix 110 Table 25 Wireless No Security 116 Table 26 Wireless Static WEP 118 Table 27 Wireless WPA PSK 119...

Page 40: ...e 58 Creating Editing A Custom Service 190 Table 59 Predefined Services 194 Table 60 Anti Probing 197 Table 61 Firewall Threshold 199 Table 62 Content Filter General 202 Table 63 Content Filter Categories 205 Table 64 Content Filter Customization 212 Table 65 Content Filter Cache 215 Table 66 myZyXEL com Numbers 218 Table 67 VPN and NAT 233 Table 68 ESP and AH 236 Table 69 Local ID Type and Conten...

Page 41: ...Table 103 Port Forwarding 310 Table 104 Port Triggering 312 Table 105 IP Static Route 316 Table 106 Edit IP Static Route 317 Table 107 Policy Route Setup 320 Table 108 Edit IP Policy Route 322 Table 109 Application and Subnet based Bandwidth Management Example 326 Table 110 Maximize Bandwidth Usage Example 328 Table 111 Priority based Allotment of Unused and Unbudgeted Bandwidth Example 328 Table ...

Page 42: ...ress to port Mapping Table 404 Table 149 Device Mode Router Mode 405 Table 150 Device Mode Bridge Mode 406 Table 151 Firmware Upload 408 Table 152 Restore Configuration 410 Table 153 Main Menu Commands 416 Table 154 Main Menu Summary 418 Table 155 SMT Menus Overview 419 Table 156 Menu 1 General Setup Router Mode 423 Table 157 Menu 1 General Setup Bridge Mode 424 Table 158 Menu 1 1 Configure Dynami...

Page 43: ...ss Mapping Rules 477 Table 187 Fields in Menu 15 1 1 478 Table 188 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set 480 Table 189 15 2 1 2 NAT Server Configuration 482 Table 190 Menu 15 3 Trigger Port Setup 492 Table 191 Abbreviations Used in the Filter Rules Summary Menu 499 Table 192 Rule Abbreviations Used 499 Table 193 Menu 21 1 1 1 TCP IP Filter Rule 500 Table 194 Generic Filter ...

Page 44: ...P Address Range By Class 596 Table 227 Natural Masks 596 Table 228 Alternative Subnet Mask Notation 597 Table 229 Two Subnets Example 597 Table 230 Subnet 1 598 Table 231 Subnet 2 598 Table 232 Subnet 1 599 Table 233 Subnet 2 599 Table 234 Subnet 3 599 Table 235 Subnet 4 600 Table 236 Eight Subnets 600 Table 237 Class C Subnet Planning 600 Table 238 Class B Subnet Planning 601 Table 239 IEEE802 11...

Page 45: ...Table 258 Remote Management Logs 683 Table 259 Wireless Logs 684 Table 260 IPSec Logs 684 Table 261 IKE Logs 685 Table 262 PKI Logs 688 Table 263 Certificate Path Verification Failure Reason Codes 689 Table 264 802 1X Logs 690 Table 265 ACL Setting Notes 691 Table 266 ICMP Notes 691 Table 267 Syslog Logs 692 Table 268 RFC 2408 ISAKMP Payload Types 693 ...

Page 46: ...ZyWALL 70 User s Guide 46 List of Tables ...

Page 47: ...configure your ZyWALL Not all features can be configured through all interfaces Related Documentation Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and con...

Page 48: ...he Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in ot...

Page 49: ...DHCP server and many other powerful features The PCMCIA CardBus slot allows you to add a 802 11b g compliant wireless LAN The ZyWALL offers highly secured wireless connectivity to your wired network with IEEE 802 1x WEP data encryption WPA Wi Fi Protected Access and MAC address filtering 1 2 Physical Features LAN Port The 10 100 Mbps auto negotiating Ethernet LAN port allows the ZyWALL to detect t...

Page 50: ...r 100 Mbps in either half duplex or full duplex mode depending on your Ethernet network The ports are also auto crossover MDI MDI X meaning they automatically adjust to either a crossover or straight through Ethernet cable Dial Backup WAN The dial backup port can be used in reserve as a traditional dial up connection when if ever the WAN 1 2 and traffic redirect connections fail Time and Date The ...

Page 51: ...to bridge mode R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Bandwidth Management Bandwidth management allows you to allocate network resources according to defined policies This policy b...

Page 52: ...wall supports TCP UDP inspection DoS detection and prevention real time alerts reports and logs Content Filtering The ZyWALL can block web features such as ActiveX controls Java applets and cookies as well as disable web proxies The ZyWALL can block or allow access to web sites that you specify The ZyWALL can also block access to web sites containing keywords that you specify You can define time p...

Page 53: ...wed or denied MAC addresses WEP Encryption WEP Wired Equivalent Privacy encrypts data frames before transmitting over the wireless network to help keep network communications private Packet Filtering The packet filtering mechanism blocks unwanted traffic from entering leaving your network Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes PPPoE PPPoE...

Page 54: ...ing IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator Central Network Management Central Network Management CNM allows an enterprise or service provider network administrator to manage your ZyWALL The enterprise or service provider network administrator can configure your ZyWALL per...

Page 55: ...ems that support the DHCP client The ZyWALL can also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server to the clients Full Network Management The embedded web configurator is an all platform web based utility that allows you to easily access the ZyWALL s management settings and configure the firewall Most functions of the ZyWALL are al...

Page 56: ... to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem The ZyWALL guarantees not only high speed Internet access but secure internal network protection and traffic management as well Figure 1 Secure Internet Access via Cable DSL or Wireless Modem 1 3 2 VPN Application ZyWALL VPN is an ideal cost effective way to connect branch offices and business partners over the...

Page 57: ...e 2 VPN Application 1 3 3 Front Panel LEDs Figure 3 ZyWALL Front Panel The following table describes the LEDs Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is turned on Red On The power to the ZyWALL is too low ...

Page 58: ...or receiving packets Orange On The ZyWALL has a successful 100Mbps Ethernet connection Flashing The 100M LAN is sending or receiving packets WAN1 2 10 100 Off The WAN connection is not ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The 100M WAN ...

Page 59: ...b pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troubleshooting chapter if you want to make sure these functions are allowed in Internet Explorer 2 2 Accessing the ZyWALL Web Configurator 1 Make sure your ZyWALL hardware is properly connected and prepare your computer computer network to connect to t...

Page 60: ...es out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyWALL if this happens to you 2 3 Resetting the ZyWALL If you forget your password or cannot access the web configurator you will need to reload the factory default configuration file or use the RESET button on the back of the ZyWALL Uploading this configuration file re...

Page 61: ...it for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site unzip it and save it in a folder 2 Turn off the ZyWALL begin a terminal emulation software session and turn on the ZyWALL again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode 3 E...

Page 62: ...s you see in the HOME screen or click the icon lo The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen 2 4 1 Router Mode The following screen displays when the ZyWALL is set to router mode The ZyWALL is set to router mode by default Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features Click LOGOUT at any time to e...

Page 63: ...ong with the difference from the Greenwich Mean Time GMT zone The difference from GMT is based on the time zone It is also adjusted for Daylight Saving Time if you set the ZywALL to use it Memory The first number shows how many kilobytes of the heap memory the ZyWALL is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running...

Page 64: ...it displays the port speed and duplex setting if you re using Ethernet encapsulation and Down line is down or not connected Idle line ppp idle Dial starting to trigger a call or Drop dropping a call if you re using PPPoE encapsulation For the WLAN port it displays Active when WLAN is enabled or Inactive when WLAN is disabled IP Address This shows the port s IP address Subnet Mask This shows the po...

Page 65: ...Gateway IP Address This is the gateway IP address Rapid Spanning Tree Protocol This shows whether RSTP Rapid Spanning Tree Protocol is active or not The following labels or values relative to RSTP do not apply when RSTP is disabled Bridge Priority This is the bridge priority of the ZyWALL Bridge Hello Time This is the interval of BPDUs Bridge Protocol Data Units from the root bridge Bridge Max Age...

Page 66: ...active on the corresponding port RSTP Priority This is the RSTP priority of the corresponding port RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port including WAN1 WAN2 LAN DMZ and WLAN Table ...

Page 67: ... to configure load balancing route priority and traffic redirect properties WAN1 Use this screen to configure ZyWALL WAN1 port for internet access WAN2 Use this screen to change your WAN2 port settings Traffic Redirect Use this screen to configure your traffic redirect properties and parameters Dial Backup Use this screen to configure the backup WAN dial up connection DMZ DMZ Use this screen to co...

Page 68: ... Mapping Use this screen to configure network address translation mapping rules Port Forwarding Use this screen to configure servers behind the ZyWALL Port Triggering Use this screen to change your ZyWALL s port triggering settings STATIC ROUTE IP Static Route Use this screen to configure IP static routes POLICY ROUTE Policy Rout Summary Use this screen to view a summary list of all the policies a...

Page 69: ...n to enable UPnP on the ZyWALL Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL LOGS View Log Use this screen to view the logs for the categories that you selected Log Settings Use this screen to change your ZyWALL s log settings Reports Use this screen to have the ZyWALL record and display the network usage reports MAINTENANCE General This screen contains a...

Page 70: ...ulation and Down line is down Idle line ppp idle Dial starting to trigger a call or Drop dropping a call if you re using PPPoE encapsulation TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Tx B s This displays the transmission speed in bytes per second on this port Rx B s This displays the reception speed in bytes per second ...

Page 71: ... set to router mode Read only information here relates to your DHCP status The DHCP table shows current DHCP client information including IP Address Host Name and MAC Address of all network clients using the ZyWALL s DHCP server Table 7 Home Show Statistics Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen Port Select the check box es to display the throughput st...

Page 72: ... Host Name This field displays the computer host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory This address follows an industry standard that ensures no other adapter has a similar a...

Page 73: ...tion name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Poll Interval s Enter the time interval for refreshing statistics in this field Set Interval Click this button to apply the new poll interval you en...

Page 74: ...ZyWALL 70 User s Guide 74 Chapter 2 Introducing the Web Configurator ...

Page 75: ...iations depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information 3 2 1 ISP Parameters The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field 3 2 1...

Page 76: ... is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field ...

Page 77: ...data networks It preserves the existing Microsoft Dial Up Networking experience and requires no new learning or procedures Figure 14 ISP Parameters PPPoE Encapsulation First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP add...

Page 78: ... User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds ...

Page 79: ...capsulation Select PPTP from the drop down list box To configure a PPTP client you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed ...

Page 80: ...c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your xDSL modem WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address E...

Page 81: ... 3 VPN Wizard Use the VPN wizard screens to configure a VPN rule that use a pre shared key If you want to set the rule to use a certificate please go to the VPN screens for configuration Click VPN Wizard in the HOME screen to open the screen as shown and have the quick and initial VPN configuration ...

Page 82: ...e is set to Active Active the ZyWALL uses the IP address static or dynamic of the primary highest priority WAN port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN port If both WAN connections go down the ZyWALL uses the dial backup IP address for the VPN tunne...

Page 83: ...erty Active If the Active check box is selected packets for the tunnel trigger the ZyWALL to build the tunnel Clear the Active check box to turn the network policy off The ZyWALL does not apply the policy Packets for the tunnel do not trigger the tunnel Name Type up to 32 characters to identify this VPN network policy You may use any character including spaces but the ZyWALL drops trailing spaces ...

Page 84: ...Select Single for a single IP address Select Range IP for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Network field is configured to Range IP enter the beginning static IP addre...

Page 85: ...rypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES ...

Page 86: ... pre shared because you have to share it with another party before you can communicate with them over a secure connection Type from 8 to 31 case sensitive ASCII characters or from 16 to 62 hexadecimal 0 9 A F characters You must precede a hexadecimal key with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the k...

Page 87: ...ct the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Encryption Algorithm When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit k...

Page 88: ...e the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Perfect Forward Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random ...

Page 89: ...le 17 VPN Wizard VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router Network Policy Property ...

Page 90: ...is shows Main Mode or Aggressive Mode Multiple SAs connecting through a secure gateway must have the same negotiation mode Encryption Algorithm This is the method of data encryption Options can be DES 3DES or AES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data Key Group This is the key group you chose for phase 1 IKE...

Page 91: ...70 User s Guide Chapter 3 Wizard Setup 91 3 3 5 VPN Wizard Setup Complete Congratulations You have successfully set up the VPN rule after any existing rule s for your ZyWALL Figure 22 VPN Wizard Setup Complete ...

Page 92: ...ZyWALL 70 User s Guide 92 Chapter 3 Wizard Setup ...

Page 93: ...it When configured as a server the ZyWALL provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else the computer must be manually configured 4 2 1 IP Pool Setup The ZyWALL is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addr...

Page 94: ...254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyWALL but make sure that no other device on your netwo...

Page 95: ...till in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for ...

Page 96: ...et mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When...

Page 97: ...d DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Pool Size This field ...

Page 98: ...gs click LAN then the Static DHCP tab The screen appears as shown Figure 24 Static DHCP The following table describes the labels in this screen Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 18 LAN continued LABEL DESCRIPTION Table 19 Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MA...

Page 99: ...IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Note Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 25 Physical Network Partitioned Logical Networks To change your ZyWALL s IP alias settings click LAN then the IP Alias tab The screen appears as shown...

Page 100: ...e When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes...

Page 101: ...ZyWALL 70 User s Guide Chapter 4 LAN Screens 101 Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 20 IP Alias LABEL DESCRIPTION ...

Page 102: ...ZyWALL 70 User s Guide 102 Chapter 4 LAN Screens ...

Page 103: ...ample shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 27 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of t...

Page 104: ...ort on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 5 2 3 How STP Works After a bridge determines the lowest cost spanning tree with...

Page 105: ... A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops 5 3 Configuring Bridge Select Bridge and click Apply in the MAINTENANCE Device Mode screen to have the ZyWALL function as a bridge To change your ZyWALL s bridge settings click BRIDGE The screen appears as shown Table 22 STP Port States PORT STATE DESCRIPTION Disabled STP is disa...

Page 106: ...teway IP Address Enter the gateway IP address First Second Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for content...

Page 107: ...Delay Enter the length of time between 4 and 30 in seconds that a bridge remains in the listening and learning port states The default is 15 seconds Bridge Port This is the bridge port type Port types are WAN LAN WLAN and DMZ RSTP Active Select the check box to enable RSTP on the corresponding port RSTP Priority 0 Highest 240 Lowest Enter a number between 0 and 240 as RSTP priority for the corresp...

Page 108: ...ZyWALL 70 User s Guide 108 Chapter 5 Bridge Screens ...

Page 109: ...computer with an IEEE 802 11b wireless LAN card A computer equipped with a web browser with JavaScript enabled and or Telnet A wireless station must be running IEEE 802 1x compliant software Currently this is offered in Windows XP An optional network RADIUS server for remote user authentication and accounting 6 2 Wireless Security Wireless security is vital to your network to protect wireless comm...

Page 110: ...should configure for each Authentication Method key management protocol type You enter manual keys by first selecting 64 bit WEP or 128 bit WEP from the WEP Encryption field and then typing the keys in ASCII or hexadecimal format in the key text boxes MAC address filters are not dependent on how you configure these security features Table 24 Wireless Security Relational Matrix AUTHENTICATION METHO...

Page 111: ...mic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys h...

Page 112: ...128 bit keys that are dynamically generated and distributed by the authentication server It includes a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice The RADIUS server distributes ...

Page 113: ...nd all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters including spaces and symbols 2 The AP checks each client s password and only allows it to join the network if it matches its password 3 The AP derives and distributes keys to the wireless clients 4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged between them Figure...

Page 114: ...DIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP a...

Page 115: ...AN Note If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL s ESSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyWALL s new settings Click WIRELESS LAN to open the Wireless screen The screen varies according to the security featu...

Page 116: ...t with which a wireless station is associated Wireless stations associating to the access point AP must have the same ESSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Hide ESSID Select to hide the ESSID in the outgoing beacon frame so a station cannot obtain the ESSID through passive scanning Channel ID This allows you to set the operating frequency cha...

Page 117: ... box No Security Static WEP WPA PSK WPA 802 1x Dynamic WEP 802 1x Static WEP 802 1x No WEP No Access 802 1x Static WEP No Access 802 1x No WEP Select No Security to allow wireless stations to communicate with the access points without any data encryption Otherwise select the security you need and see the following sections for more information Note The installed ZyXEL WLAN card may not support all...

Page 118: ...encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key There are four data encryption keys to secure your data from...

Page 119: ...assword instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer Seconds Specify how often wireless stations have to reenter user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reaut...

Page 120: ...rver if using WPA key management sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the WPA Group Key Update Timer is also supported in WPA PSK mode Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen af...

Page 121: ...lly disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed Authentication Databases Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server WPA Group Key Update Timer Seconds The WPA Group Key Update Tim...

Page 122: ...the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed Authentication Databases Click Local User to go to the Local User Database screen where you can view and or edit the list of ...

Page 123: ...ilable when you select 802 1x Static WEP in the Security drop down list box Table 30 Wireless 802 1x Static WEP LABEL DESCRIPTION Security Select 802 1x Static WEP from the drop down list WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable ...

Page 124: ...tions have to reenter user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station ...

Page 125: ...authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed Authentication Databases Click Local User to go to...

Page 126: ... 1x Static WEP The following wireless LAN security fields become available when you select No Access 802 1x Static WEP in the Security drop down list box Table 32 Wireless No Access 802 1x Static WEP LABEL DESCRIPTION Security Select No Access 802 1x Static WEP from the drop down list WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations fro...

Page 127: ...the devices to configure this screen To change your ZyWALL s MAC filter settings click WIRELESS LAN then the MAC Filter tab The screen appears as shown Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characte...

Page 128: ...iation Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny to block access to the router MAC addresses not listed will be allowed to access the router Select Allow to permit access to the router MAC addresses not listed will be denied access to the router This is the index number of the MAC address User Name Enter a descriptive name for the MAC addres...

Page 129: ...yWALL supports EAP MD5 Message Digest Algorithm 5 with the local user database The following figure shows an overview of authentication when you specify a RADIUS server on your access point Figure 41 EAP Authentication The details below provide a general description of how IEEE 802 1x EAP authentication works The wireless station sends a start message to the ZyWALL The ZyWALL sends a request ident...

Page 130: ...ZyWALL 70 User s Guide 130 Chapter 6 Wireless LAN ...

Page 131: ...r IP calls through this kind of connection Other traffic could be routed through a cheaper broadband Internet connection that does not provide priority service If one WAN port s connection goes down the ZyWALL can automatically send its traffic through the other WAN port See Chapter 19 on page 319 for details The ZyWALL s NAT feature allows you to configure sets of rules for one WAN port and separ...

Page 132: ...ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to as the bandwidth an interface is currently using 7 4 1 Least Load First The least load first algorithm uses the current or recent outbound and or inbound bandwidth utilization of each WAN interface as the load balancing index es when making decisions about to which WAN interface a new LAN originated sess...

Page 133: ... and inbound bandwidth utilization in calculating the load balancing index If the measured inbound stream throughput for both WAN 1 and WAN 2 is 102K the ZyWALL calculates the average load balancing indices as shown in the table below Since WAN 1 has a smaller load balancing index meaning that it is less utilized than WAN 2 the ZyWALL will send the next new session traffic through WAN 1 Table 34 L...

Page 134: ... Weighted Round Robin Algorithm Example 7 4 3 Spillover With the spillover load balancing algorithm the ZyWALL sends network traffic to the primary interface until the maximum allowable load is reached then the ZyWALL sends the excess network traffic of new sessions to the secondary WAN interface Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary ...

Page 135: ... WAN port routes must always be higher than the dial backup and traffic redirect route priorities For example lets say that you have the WAN operation mode set to active passive and the WAN 1 route has a metric of 2 the WAN 2 route has a metric of 3 the traffic redirect route has a metric of 14 and the dial backup route has a metric of 15 In this case the WAN 1 route acts as the primary default ro...

Page 136: ...ZyWALL 70 User s Guide 136 Chapter 7 WAN Screens Figure 45 WAN General ...

Page 137: ...Refer to Section 7 7 on page 138 for load balancing configuration Route Priority WAN1 WAN2 Traffic Redirect Dial Backup The default WAN connection is 1 as your broadband connection via the WAN port should always be your preferred method of accessing the WAN The ZyWALL switches from WAN port 1 to WAN port 2 if WAN port 1 s connection fails and then back to WAN port 1 when WAN port 1 s connection co...

Page 138: ...ing this Address and enter a domain name or IP address of a reliable nearby computer for example your ISP s DNS server address to have the ZyWALL ping that address For a domain name use up to 63 alphanumeric characters hyphens periods and the underscore are also allowed without spaces Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enabl...

Page 139: ...sing the average bandwidth in the specified time interval Enter the time interval between 10 and 600 seconds Load Balancing Index es Specify the direction of the traffic utilization you want the ZyWALL to use in calculating the load balancing index Select Outbound Only Inbound Only or Outbound Inbound Interface This field displays the name of the WAN interface WAN1 and WAN2 Available Inbound Bandw...

Page 140: ...e primary and secondary WANs By default WAN1 is the primary WAN and WAN2 is the secondary WAN Table 38 Load Balancing Weighted Round Robin LABEL DESCRIPTION Active Active Mode Select Active Active Mode and set the related fields to enable load balancing on the ZyWALL Load Balancing Algorithm Select a load balancing method to use from the drop down list box Interface This field displays the name of...

Page 141: ...Active Mode Select Active Active Mode and set the related fields to enable load balancing on the ZyWALL Load Balancing Algorithm Select a load balancing method to use from the drop down list box Time Frame You can set the ZyWALL to get the measured bandwidth using the average bandwidth in the specified time interval Enter the time interval between 10 and 600 seconds Send traffic to secondary WAN w...

Page 142: ... 1 The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP add...

Page 143: ... differs by the encapsulation Note The WAN1 and WAN2 IP addresses must be on different subnets The warning message Warning No NAT rule configured in system appears in the status bar when NAT is set to use Full Feature address mapping rules but there are no NAT address mapping rules configured 7 8 1 Ethernet Encapsulation The screen shown next is for Ethernet encapsulation ...

Page 144: ...oose the Ethernet option when the WAN port is used as a regular Ethernet Service Type Choose from Standard Telstra RoadRunner Telstra authentication method RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Passw...

Page 145: ...is field if you selected Use Fixed IP Address Gateway IP Address Enter the gateway IP address if your ISP gave you one in this field if you selected Use Fixed IP Address Advanced Setup Enable NAT Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used within one network for example a private IP address used in a local network to a dif...

Page 146: ... will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast V...

Page 147: ...broadband modem at the customer site By implementing PPPoE directly on the ZyWALL rather than individual computers the computers on the LAN do not need PPPoE software installed since the ZyWALL does that part of the task Furthermore with NAT all of the LANs computers will have access Refer to Appendix E on page 603 for more information on PPPoE The screen shown next is for PPPoE encapsulation Figu...

Page 148: ...me above Retype to Confirm Type your password again to make sure that you have entered is correctly Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only Nailed Up Select Nailed Up if you ...

Page 149: ... also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establi...

Page 150: ... data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The screen shown next is for PPTP encapsulation Refer to Appendix F on page 605 for more information on PPTP Figure 51 WAN PPTP Encapsulation ...

Page 151: ... list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only Nailed up Select Nailed Up if you do not want the connection to time out Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically...

Page 152: ...hines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish m...

Page 153: ...n page 623 when the backup gateway is connected to the LAN or DMZ Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LA...

Page 154: ...Table 45 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation The ZyWALL automatically forwards traffic to this IP address if the ZyWALL s Internet connection terminates Apply Click Apply to save your changes back ...

Page 155: ...ZyWALL 70 User s Guide Chapter 7 WAN Screens 155 Figure 55 Dial Backup Setup ...

Page 156: ... manual of your WAN device connected to your Dial Backup port for specific AT commands Advanced Modem Setup Click Edit to display the Advanced Setup screen and edit the details of your dial backup setup TCP IP Options Get IP Address Automatically from Remote Server Type the login name assigned by your ISP for this remote node Used Fixed IP Address Select this check box if your ISP assigned you a f...

Page 157: ... Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Select IGMP v1 or IGMP v2 IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see ...

Page 158: ... the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH 7 12 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation...

Page 159: ...ime Answer Type the AT Command string to answer a call Drop DTR When Hang Up Select this check box to have the ZyWALL drop the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string This lets the ZyWALL capture the CLID in the AT response string that comes fro...

Page 160: ...rying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Type the number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Type a number of seconds for the ZyWALL to wait between dropping a callback request call and dialing the corresponding callback cal...

Page 161: ...mation off of the public servers connected to the DMZ port Store sensitive information on LAN computers 8 2 Configuring DMZ The DMZ and the connected computers can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate subnets See Appendix D on page 595 for information on IP subnetting If you do not configur...

Page 162: ...et to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends i...

Page 163: ...rk layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Windows Networking NetBIOS over TCP IP A...

Page 164: ...None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recogni...

Page 165: ...Example 8 5 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ Lower case letters represent public IP addresses like a b c d for example The LAN port and connected computers A through C use private IP addresses that are in one subnet The DMZ port and server F use private IP addresses that are in one subnet The p...

Page 166: ...s Guide 166 Chapter 8 DMZ Screens Configure both DMZ and DMZ IP alias to use this kind of network setup You also need to configure NAT for the private DMZ IP addresses Figure 60 DMZ Private and Public Address Example ...

Page 167: ...wall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 9 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 9 2 1 Packet Filter...

Page 168: ...me proxies support See Section 9 5 on page 173 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 9 3 Introduction to ZyXEL s Firewall The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the web co...

Page 169: ... extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For exam...

Page 170: ...agment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot Weaknesses in the TCP IP sp...

Page 171: ...target system tries to respond to itself A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of ...

Page 172: ...owing ICMP types trigger an alert 9 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 51 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 52 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Page 173: ... allowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 9 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering i...

Page 174: ... information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then the setting in the Firewall Default Rule screen determines the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entr...

Page 175: ...rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test chan...

Page 176: ...situation exists for ICMP except that the ZyWALL is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too littl...

Page 177: ...with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the firewall in a secured locked room 9 7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL s filtering and firewall functions 9 7 1 Packet Filtering The router filters packets as they pass ...

Page 178: ...ork session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 9 7 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better ...

Page 179: ...or firewall CLI commands 10 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyWALL s stateful packet inspection allows packets traveling in the following directions LAN to LAN ZyWALL This allows computers on the LAN to manage the ZyWALL and communicate between...

Page 180: ...ic hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyWALL s default rules 10 3...

Page 181: ...y existing rules Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens 10 3 3 Key Fields For Configuring Rules 10 3 3 1 Action Should the action be to Block or Forward Note Block means the firewall silently discards the packet 10 3 3 2 Service Select the service from the Service scrolling list box...

Page 182: ...d DMZ to DMZ ZyWALL polices apply in the same way to the WAN and DMZ ports 10 4 1 LAN To WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure a LAN to WAN rule you in essence want to limit some or all users from accessing certain services on the WAN See the following figure Figure 66 LAN to WAN Traffic 10 4 2...

Page 183: ... when a rule is matched in the Edit Rule screen see Figure 71 on page 188 Configure the Log Settings screen to have the ZyWALL send an immediate e mail message to you when an event generates an alert Refer to the chapter on logs for details 10 6 Configuring Firewall Click FIREWALL to open the Default Rule screen Enable or activate the firewall by selecting the Enable Firewall check box as seen in ...

Page 184: ... this problem Packet Direction This is the direction of travel of packets LAN to LAN ZyWALL LAN to WAN LAN to DMZ WAN to LAN WAN to WAN ZyWALL WAN to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another comput...

Page 185: ...N to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyWALL or the ZyWALL itself Action Use the drop down list boxes to select whether to Block silently discard...

Page 186: ...to LAN WAN to DMZ DMZ to DMZ ZyWALL DMZ to LAN or DMZ to WAN for which you want to configure firewall rules Default Policy This field displays the default action and log policy you selected in the Default Rule screen for the packet direction shown in the field above The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction ...

Page 187: ...irewall silently discards the packet Schedule This field tells you whether a schedule is specified Yes or not No Log This field shows you whether a log is created when packets match this rule Enabled or not Disable Alert This field tells you whether this rule generates an alert Yes or not No when the rule is matched Modify Click the edit icon to go to the screen where you can edit the rule Click t...

Page 188: ...ZyWALL 70 User s Guide 188 Chapter 10 Firewall Screens Figure 71 Creating Editing A Firewall Rule ...

Page 189: ...s available Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Custom Service Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custo...

Page 190: ...le Firewall Rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 57 Creating Editing A Firewall Rule LABEL DESCRIPTION Table 58 Creating Editing A Custom Service LABEL DESCRIPTION Service Name Enter a unique ...

Page 191: ... 2 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen 4 Select Any in the Destination Address box and then click Delete 5 Configure the destination address screen as follows and click Add ...

Page 192: ...igure it as follows and click Apply Figure 75 Edit Custom Service Example 7 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom service ...

Page 193: ...ZyWALL 70 User s Guide Chapter 10 Firewall Screens 193 Figure 76 My Service Rule Configuration ...

Page 194: ...defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services may also be configured using the Custom Services function discussed previously Table 59 Predefined Services SERVICE DESCRIPTION AIM New ICQ TCP 5190 AOL s Internet Messenger service used as a listening port ...

Page 195: ...ernet Group Multicast Protocol is used when sending packets to a specific group of hosts NetBIOS TCP UDP 137 139 45 NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparen...

Page 196: ...25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes...

Page 197: ...th incoming LAN and WAN and DMZ Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL will not respond to port request s for unused ports thus leaving the unused ports and the ZyWALL unseen By default this option is not selected and the ZyWALL will reply with ...

Page 198: ...bsolute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring The ZyWALL measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of existing half open sessions ...

Page 199: ...nection requests to the host giving the server time to handle the present connections The ZyWALL continues to block all new connection requests until the Blocking Time expires The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click the FIREWALL link and then the Threshold tab to bring up t...

Page 200: ...onnection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the ZyWALL to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions with the number of existing half open sessions drop...

Page 201: ...1 2 Create a Filter List You can select categories such as pornography or racial intolerance to block from a pre defined list 11 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 11 2 General Content...

Page 202: ...estrict a feature When you download a page containing a restricted feature that part of the web page will appear blank or grayed out Block ActiveX ActiveX is a tool for building dynamic and active web pages and distributed object applications When you visit an ActiveX web site ActiveX controls are downloaded to your browser where they remain in case you visit the site again Java Java is a programm...

Page 203: ...ess Message Enter a message to be displayed when a user tries to access a restricted web site The default message is Please contact your network administrator Exempt Computers Enforce content filter policies for all computers Select this checkbox to have all users on your LAN follow content filter policies default Include specified address ranges in the content filter enforcement Select this check...

Page 204: ...well as view those web site addresses see Section 11 7 on page 215 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or cate...

Page 205: ...to find to which category a requested web page belongs The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page Matched Web Pages Select Block to prevent users from accessing web pages that match the categories that you select below When external database content filtering blocks access to a web page it displays the denied access message tha...

Page 206: ...quested web page based on the setting in the Block When Content Filter Server Is Unavailable field Select Categories Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages that contain material of adult nature that...

Page 207: ...n the basis of race religion gender nationality ethnic origin or other characteristics Weapons Selecting this category excludes pages that sell review or describe weapons such as guns knives or martial arts devices or provide information on their use accessories or other modifications It does not include pages that promote collecting weapons or groups that either support or oppose weapons use Abor...

Page 208: ... services such as taxation and emergency services It also includes pages that discuss or explain laws of various governmental entities Military Selecting this category excludes pages that promote or provide information on military branches or armed services Political Activist Groups Selecting this category excludes pages sponsored by or which provide information on political parties special intere...

Page 209: ... that can be classified in other categories such as vehicles or weapons Auctions Selecting this category excludes pages that support the offering and purchasing of goods between individuals This does not include classified advertisements Real Estate Selecting this category excludes pages that provide information on renting buying or selling real estate or properties Society Lifestyle Selecting thi...

Page 210: ...ng this category excludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter currently blocks any given web page Enter a web site URL in the...

Page 211: ...se You can use a trial application or register your iCard s PIN Refer to the web site s on line help for details Note The web site displays a registration successful web page It may take up to another ten minutes for content filtering to be activated See Section 12 7 on page 226 for how to check the content filtering activation You can manage your registration status or view content filtering repo...

Page 212: ...nabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the most effective way to block objectionable material Don t block Java ActiveX Cookies Web proxy to trusted Web sites When this box is selected the ZyWALL...

Page 213: ...that is do not include http All subdomains are allowed For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Forbidden Web Sites This list displays the forbidden web sites already added Add Click this button when you have finished adding the host name in the text field above Delete Select a web site name from the Forbidden Web Site List and then...

Page 214: ...hes for keywords within www zyxel com tw 11 6 2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL For example with the URL www zyxel com tw news pressroom php full path URL checking searches for keywords within www zyxel com tw news Use the ip urlfilter customize actionFlags 6 disable enable command to extend or not extend ...

Page 215: ...so remove individual entries from the cache When you do this the ZyWALL queries the external content filtering database the next time someone tries to access that web site This allows you to check whether a web site s category has been changed Figure 84 Content Filter Cache The following table describes the labels in this screen Table 65 Content Filter Cache LABEL DESCRIPTION URL Cache Setup Maxim...

Page 216: ...RLs before the URLs to which access was allowed Point the triangle down to display the URLs to which access was allowed before the blocked URLs URL This is a web site s address that the ZyWALL previously checked with the external content filtering database Port This is the service port number for which access was requested Remaining Time hour This is the number of hours left before the URL entry i...

Page 217: ...ker on the rear side of your device identify it You need to register separately for each device on which you wish to enable content filtering When registering you need to enter a PIN see your iCard Be sure to buy the correct iCard for your device If you wish to try content filtering before buying an iCard then fill in the trial application for a free 30 day trial Content filtering reports are gene...

Page 218: ... user name and password by clicking the hyperlink as shown in the next screen Figure 85 myZyXEL com Login Screen 3 Fill in the required fields and click Submit Table 66 myZyXEL com Numbers TYPES DESCRIPTION Serial Number You need the serial number to register your ZyXEL device Locate the serial number on your ZyXEL device Authentication Code This is the LAN MAC address of your ZyXEL device You nee...

Page 219: ...and Reports 219 Figure 86 myZyXEL com Account Registration 4 A screen appears indicating you have created an account at myZyXEL com Figure 87 Account Registration Successful 5 You will receive a confirmation e mail Click the URL in the e mail to activate your account ...

Page 220: ...count Confirmation E Mail 6 Click Continue to go to the myZyXEL com login screen Figure 89 myZyXEL com Account Activation 12 3 Registering Your ZyXEL Device 1 After you have created a myZyXEL com account log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen ...

Page 221: ... product serial number in the Serial Number field 4 Your device category and model number may automatically display in the Category and Model fields respectively Otherwise select the correct ones from the drop down list boxes 5 Enter the device MAC address in the Authentication Code field 6 Enter a descriptive name in the Friendly Name field for identifying your device 7 Click Register Click here ...

Page 222: ... 92 Add New Product 8 Specify the purchase information and click Continue Figure 93 Product Survey 9 Click Continue again 10After you have registered your ZyXEL device you can view its registration details in the screen shown next Your ZyXEL device MAC address may already be entered here ...

Page 223: ...egister button The following screen opens 2 Enter the user name and password from your myZyXEL com account see Figure 85 on page 218 3 After you register your ZyXEL device click My Product in the navigation panel 4 Click the product name link for your device to view its registration details in the Service Management screen Figure 95 myZyXEL com My Product 5 Click Activate for the content filtering...

Page 224: ...k Submit under Content Filtering Trial to register for a 30 day trial period With the trial registration content filtering functions for 30 days beginning from the date you apply for the trial After the trial you cannot apply for another trial If you ve already registered an iCard s PIN number then you also cannot apply for a trial If you have applied for a trial you can still register the PIN cod...

Page 225: ...m 12 5 Checking Content Filtering Activation After you register for content filtering the web site displays a registration successful web page This does not mean the content filtering is active yet You need to wait up to ten minutes for content filtering to be activated Since there will be no content filtering activation notice you can do the following to see if content filtering is active 1 Go to...

Page 226: ...our product s name click Transfer under Manage Product to move the registered product to another pre registered user account at myZyXEL com click Delete under Manage Product to remove the product registration or click Reinstall under Manage Product to install the product again with another authentication code for up to three times If you have activated a service on a registered product you cannot ...

Page 227: ...that you configured during account registration at myZyXEL com 3 Click Reports Figure 101 Content Filtering Reports Main Screen Note The ZyWALL does not support Single User Reports at the time of writing 4 Select either Allow or Block reports Select a time period in the Select Date Range field and click Run Report 5 A chart and list of requested web site categories display in the lower half of the...

Page 228: ...Click a category to see the URLs that were requested Figure 103 Requested URLs Example 12 8 Configuration File If you restore the ZyWALL to the default rom file or upload a different rom file after you register then you must go to the Service Management screen see Figure 99 on page 225 and click Refresh in the Remark field ...

Page 229: ...for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 13 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 13 1 3 Other...

Page 230: ...g VPN applications 13 1 4 1 Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites 13 1 4 2 Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a pu...

Page 231: ...rithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Refer to Section 14 2 on page 235 for more information 13 2 2 Key Management Key management ...

Page 232: ...d forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 13 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is...

Page 233: ...g ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encr...

Page 234: ...ZyWALL 70 User s Guide 234 Chapter 13 Introduction to IPSec ...

Page 235: ...igned for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow fo...

Page 236: ...ion using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data ...

Page 237: ...dress may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 14 5 Nailed Up When you initiate an IPSec tunnel with nailed up enabled the ZyWALL automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Section 14 8 on page 240 for more on the IPSec SA lifetime In effect the IPSec tunnel becomes an always on connection after you initi...

Page 238: ...or IPSec router A see Figure 107 on page 238 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A 14 7 ID Type and Content With aggressive negotiation mode see Section 14 8 1 on page 241 the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the ZyWALL to distinguis...

Page 239: ...address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 70 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Remote Gateway Address field D...

Page 240: ...uses that SA to negotiate SAs for IPSec Figure 108 Two Phases to Set Up the IPSec SA In phase 1 you must Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Peer ID type IP Peer ID type E mail Peer ID content 1 1 1 2 Peer ID content tom yourcompany com Table 72 Mismatching ID Type and Content Configuration Example ZYWALL A ZYWALL B Loca...

Page 241: ...here is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic 14 8 1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiat...

Page 242: ...uch security so PFS is disabled None by default in the ZyWALL Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 14 9 X Auth Extended Authentication Extended authentication provides added security by allowing you to use usernames...

Page 243: ...2 IPSec SA Table 73 VPN screen Icons Key ICON DESCRIPTION This represents your ZyWALL This represents the remote secure gateway This represents the local network This represents the remote network Click this icon to add a VPN gateway policy or IPSec rule Click this icon to add a VPN network policy Click this icon to display a screen in which you can associate a network policy to a gateway policy C...

Page 244: ...e network IP addresses must be static 14 12 IKE VPN Rule Summary Screen Click VPN to display the VPN Rules IKE screen This is a read only menu of your IPSec rule tunnel To add an IPSec rule or gateway policy click the add gateway policy icon Edit an IPSec rule by clicking the edit icon to configure the associated submenus Refer to Table 73 on page 243 for descriptions of the icons used in this scr...

Page 245: ...t an associated gateway policy When there is a network policy in the Recycle Bin the Recycle Bin gateway policy automatically displays in this screen See Section 14 12 2 1 on page 255 for more information 14 12 1 Configuring an IKE Gateway Policy In the VPN Rule IKE screen click the add gateway policy icon or the edit icon to display the VPN Gateway Policy Edit screen ...

Page 246: ...ZyWALL 70 User s Guide 246 Chapter 14 VPN Screens Figure 112 VPN Rules IKE Gateway Policy Edit ...

Page 247: ...N port that is in use When the WAN port operation mode is set to Active Active the ZyWALL uses the IP address static or dynamic of the primary highest priority WAN port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN port If both WAN connections go down the ZyW...

Page 248: ...e My ZyWALL field refer to the My ZyWALL field description if you configure the local Content field to 0 0 0 0 or leave it blank It is recommended that you type an IP address other than 0 0 0 0 in the local Content field or use the DNS or E mail ID type in the following situations When there is a NAT router between the two IPSec routers When you want the remote IPSec router to be able to distingui...

Page 249: ...ss from the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection For Subject Name type the subject name of the certificate the remote IPSec router will use for this VPN connection Use up to255 ASCII characters including spaces For Any the peer Content field is not available Regardless of how you configure the ID Type and Content fields two acti...

Page 250: ... Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 180 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group ...

Page 251: ...igure a VPN policy click VPN and the add network policy icon in the VPN Rules IKE screen A screen displays as follows Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 74 VPN Rules IKE Gateway Policy Edit continued LABEL DESCRIPTION ...

Page 252: ...ZyWALL 70 User s Guide 252 Chapter 14 VPN Screens Figure 113 VPN Rules IKE Network Policy Edit ...

Page 253: ...network and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connection idle timeout timer when it se...

Page 254: ... is configured to Single Address enter a static IP address on the network behind the remote IPSec router When the Addr Type field is configured to Range Address enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec router...

Page 255: ...s not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec receiver can detect and reject old or duplicate packets to protect agai...

Page 256: ... displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router Gateway Policy Information Gateway Policy Select the name of a VPN rule or gateway policy to which you want to associate this VPN network policy If you ...

Page 257: ... A static IP address and a subnet mask are displayed when the Local Network Address Type field in the VPN Manual Key Edit screen is configured to Subnet Address Remote Network This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initia...

Page 258: ...he administrator associated with the SPI to establish the tunnel Note Current ZyXEL implementation assumes identical outgoing and incoming SPIs Click the edit icon on the VPN Rules Manual screen to edit VPN rules Remote Gateway Address This is the static WAN IP address or domain name of the remote IPSec router Modify Click the edit icon to edit the VPN policy Click the delete icon to remove the VP...

Page 259: ... this VPN policy You may use any character including spaces but the ZyWALL drops trailing spaces Allow NetBIOS Traffic Through IPSec Tunnel NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote...

Page 260: ...s a subnet mask on the LAN behind your ZyWALL Remote Network Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as ...

Page 261: ...escribed next Select AH if you want to use AH Authentication Header Protocol The AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field described next Encryption Algorithm Select DES 3DES or...

Page 262: ...ng Table 78 VPN Rules Manual Edit continued LABEL DESCRIPTION Table 79 VPN SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL Remote Network This field displays IP address in a range of computers on ...

Page 263: ...traffic is received from a remote IPSec router after the specified time period the ZyWALL checks the VPN connectivity If the remote IPSec router does not reply the ZyWALL automatically disconnects the VPN tunnel Enter the time period between 30 and 3600 seconds to wait before the ZyWALL checks all of the VPN connections to remote IPSec routers Enter 0 to disable this feature Gateway Domain Name Up...

Page 264: ...he telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses should not overlap Figure 119 Telecommuters Sharing One VPN Rule Example 14 16 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses use Dynamic DNS to do th...

Page 265: ...by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names Figure 120 Telecommuters Using Unique VPN Rules Example Table 82 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rul...

Page 266: ...al ID Content telecommuterb com Peer ID Content telecommuterb com Local IP Address 192 168 3 2 Remote Gateway Address telecommuterb dydns org Remote Address 192 168 3 2 Telecommuter C telecommuterc dydns org Headquarters Product Name short Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace com Local IP Address 192 168 4 15 Remote Gatewa...

Page 267: ...cryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses Tim s public key to decrypt it 5 Ad...

Page 268: ...authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 15 2 Self signed Certificates Until public key infrastructure becomes more mature it may not be available in some areas You can have the ZyWALL act as a certification authority and sign its own certificates 15 3 Configuration Summary This section summarize...

Page 269: ...tly in use The bar turns from green to red when the maximum is being approached When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyWALL has the factory default certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use this button t...

Page 270: ... has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays ...

Page 271: ...EM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form 15 6 Importing a Certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions in this screen to save an existing certificate to the ZyWALL see the following figure Note You can only i...

Page 272: ...te enroll a certificate with a certification authority or generate a certification request see the following figure Figure 124 My Certificate Create Table 84 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the c...

Page 273: ...rops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have t...

Page 274: ...otocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF a...

Page 275: ...ZyWALL 70 User s Guide Chapter 15 Certificates 275 Figure 125 My Certificate Details ...

Page 276: ... the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certi...

Page 277: ... the ZyWALL calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You ca...

Page 278: ...nformation about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company ...

Page 279: ...have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A wind...

Page 280: ...tificate change the certificate s name and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 88 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the cert...

Page 281: ...p to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the ZyWALL not check incoming certificates t...

Page 282: ... s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash ...

Page 283: ...heir certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail...

Page 284: ...field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text...

Page 285: ...e following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 130 Remote Host Certificates 3 Double click the certificate s icon to open the Certificate window Click the Det...

Page 286: ... Remote Host s Certificate Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host s certificate to the ZyWALL see the following figure Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from...

Page 287: ...Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 91 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Ap...

Page 288: ...icate You may use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate s issuing certification authority For a trusted host the list consists of the end entity s own certificat...

Page 289: ...ertificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field d...

Page 290: ...rtificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file...

Page 291: ...nnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays th...

Page 292: ...mal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyWALL may need to au...

Page 293: ...ser database for VPN extended authentication and wireless LAN security See Section 6 10 on page 114 for more information about RADIUS 16 1 1 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way 16 1 2 RADIUS The Zy...

Page 294: ...ZyWALL 70 User s Guide 294 Chapter 16 Authentication Server Figure 136 Local User Database ...

Page 295: ...pen the following screen where you can set up your ZyWALL s RADIUS server settings Figure 137 RADIUS Table 95 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile User Name Enter the user name of the user profile Password Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Res...

Page 296: ...shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL Accounting Server Active Select the check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Numb...

Page 297: ...he IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packe...

Page 298: ... define any servers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 17 1 3 How NAT Works Each packet has two addres...

Page 299: ...ks 17 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 139 NAT Application With IP Alias ...

Page 300: ...P address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 140 Port Restricted Cone NAT Example 17 1 6 NAT Mapping Types NAT supports five types of IP port mapping T...

Page 301: ...nd Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview Selecting SUA means latent multiple WAN to LAN and WAN to DMZ address translation That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping...

Page 302: ...n Table 99 NAT Overview LABEL DESCRIPTION Global Settings Max Concurrent Sessions This read only field displays the highest number of NAT sessions that the ZyWALL will permit at one time Max Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time WAN Operation Mode This read only field displays the operation mode ...

Page 303: ...he ZyWALL s possible address mapping rules are configured The first number shows how many address mapping rules are configured on the ZyWALL The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL Port Forwarding Rules The bar displays how many of the ZyWALL s possible port forwarding rules are configured The first number shows how many port forward...

Page 304: ...To Page Choose a page from the drop down list box to display the corresponding summary page of address mapping rules This is the rule index number Local Start IP This refers to the Inside Local Address ILA which is the starting local IP address If the rule is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address Local IP addresses are N A for Server port mapping...

Page 305: ...al IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server allows you to specify inside servers of ...

Page 306: ...type from one of the following 1 One to One One to One mode maps one local IP address to one global IP address Note that port numbers do not change for One to One NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature 3 Many to Many Overload Many to Many...

Page 307: ...en used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT 17 5 3 Configuring Servers Behind Port Forwarding Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the exam...

Page 308: ...gh a single WAN IP address When you use port translation with port forwarding multiple servers on the LAN or DMZ can use the same port number and still be accessible to the outside world through a single WAN IP address The following example has two web servers on a LAN Server A uses IP address 192 168 1 33 and server B uses 192 168 1 34 Both servers use port 80 The letters a b c d represent the WA...

Page 309: ...ceived for ports that are not specified here or in the remote management setup Click NAT and Port Forwarding to open the Port Forwarding screen Refer to Figure 102 on page 307 for port numbers commonly used for particular services Note The last port forwarding rule is reserved for Roadrunner services The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to ...

Page 310: ...list box to display the corresponding summary page of the port forwarding servers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Incoming Po...

Page 311: ...ecific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configu...

Page 312: ...s the labels in this screen Table 104 Port Triggering LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules This is the rule index number read only Name Type a unique name up to 15 characters for identification purposes All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN u...

Page 313: ... the LAN computer that sent the traffic to a server on the WAN Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 104 Port Triggering LABEL DESCRIPTION ...

Page 314: ...ZyWALL 70 User s Guide 314 Chapter 17 Network Address Translation NAT ...

Page 315: ...WALL is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyWALL about the networks beyond the remote nodes Figure 149 Example of Static Routing Topology 18 2 Configuring IP Static Route Click STATIC ROUTE to open the IP Static Route screen some of the screen s bl...

Page 316: ...ether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Edit Select the radio button ...

Page 317: ...to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of ...

Page 318: ...ZyWALL 70 User s Guide 318 Chapter 18 Static Route ...

Page 319: ... of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 19 3 Routing Policy Individual routing policies are used as part of the overall IPPR process A ...

Page 320: ...cy Setup Click POLICY ROUTE to open the Policy Route Summary screen some of the screen s blank rows are not shown Figure 152 Policy Route Summary The following table describes the labels in this screen Table 107 Policy Route Setup LABEL DESCRIPTION This is the number of an individual policy route Active This field shows whether the policy is active or inactive ...

Page 321: ...tions Protocol This is the IP protocol and can be ICMP UDP TCP or ALL Action This field specifies whether action should be taken on criteria Matched or Not Matched Modify Click the edit icon to go to the screen where you can edit the routing policy on the ZyWALL Click the delete icon to remove an existing routing policy from the ZyWALL A window display asking you to confirm that you want to delete...

Page 322: ...licy Rule Index This is the index number of the policy route IP Protocol Select Predefined and then the IP protocol from ALL 0 ICMP 1 IGMP 2 TCP 6 UDP 17 GRE 47 ESP 50 or AH 51 Otherwise select Custom and enter a number from 0 to 255 Type of Service Prioritize incoming network traffic by choosing from Any Normal Min Delay Max Thruput Max Reliable or Mix Cost Precedence Precedence value of the inco...

Page 323: ...criteria Matched or Not Matched Routing Action Gateway Select User Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination The gateway must be a router on the same segment as your ZyWALL s LAN or WAN port Select WAN Interface to have the ZyWALL send traff...

Page 324: ...ZyWALL 70 User s Guide 324 Chapter 19 Policy Route ...

Page 325: ...and dropped packets at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 20 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class ...

Page 326: ...t based Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 154 Subnet based Bandwidth Management Example 20 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application Th...

Page 327: ...vailable bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class is not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted o...

Page 328: ...out when you do not select the maximize bandwidth option The ZyWALL divides up the unbudgeted 2048 kbps among the classes that require more bandwidth If the administration department only uses 1024 kbps of the budgeted 2048 kbps the ZyWALL also divides the remaining 1024 kbps among the classes that require more bandwidth Therefore the ZyWALL divides a total of 3072 kbps of unbudgeted and unused ba...

Page 329: ...idth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps 20 9 Bandwidth Borrowing Bandwidth borrowing allows a sub class to borrow unused bandwi...

Page 330: ...ales USA class because the Amy class has bandwidth borrowing disabled The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled The Research Software and Hardware classes can also borrow unused bandwidth from the Root class because the Research class also has bandwidth...

Page 331: ...traffic that does not match any of the classes 20 10 Configuring Summary Click BW MGMT to open the Summary screen Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface Figure 155 Bandwidth Management Summary The following table describes the labels in this screen Table 114 Bandwidth Management Summary LABEL DESCRIPTION WAN1 WAN2 LAN DMZ These read onl...

Page 332: ... page 332 The recommendation is to set this speed to match what the device connected to the port can handle For example set the WAN interface speed to 1000 kbps if the broadband device connected to the WAN port has an upstream speed of 1000 kbps Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priority Based to give preference to b...

Page 333: ...elete to delete the class and all its sub classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class Filter List This list displays the bandwidth management filters that are configured for the classes on the selected interface The ZyWALL applies the bandwidth management filters in the order that they appear here Once a connection matches a band...

Page 334: ... destination port for connections to which this bandwidth management filter applies Source IP Address This is the source IP address for connections to which this bandwidth management filter applies Source Port This is the source port for connections to which this bandwidth management filter applies Protocol ID This is the protocol ID service type number for connections to which this bandwidth mana...

Page 335: ...nd 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priority 7 i...

Page 336: ...option makes it easier to manage bandwidth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN Note If you select SIP make sure you also use the ip alg enable ALG_SIP command to turn on the SIP ALG See Appendix I on page 627 for more on the SIP ALG Select Custom from the drop down list box if you do not want to use a predefined application...

Page 337: ... ZyWALL Cancel Click Cancel to exit this screen without saving Table 117 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP t...

Page 338: ...ed Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 means one second ago Update Perio...

Page 339: ...lass that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes a a If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be a...

Page 340: ...ZyWALL 70 User s Guide 340 Chapter 20 Bandwidth Management ...

Page 341: ...our ISP gives you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote I...

Page 342: ... to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 21 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully q...

Page 343: ...o not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 21 6 System Screen To configure your ZyWALL s DNS address and name server records click DNS The screen appears as shown Figure 161 System DNS ...

Page 344: ...ver Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server When the ZyWALL needs to resolve a domain name it checks it against the name server record entries in the order that they appear in this list A indicates a name server record without a domain zone The default record is grayed ...

Page 345: ...e way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the second level domain and com tw is the top level domain IP Address If this entry is for one of the WAN ports select WAN Interface and select WAN 1 or WAN 2 from the drop down list box For entries that are not for one of the WAN ports select Custom and enter the IP a...

Page 346: ...n an IP address N A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP address Select Public DNS Server if you have the IP address of a DNS server The IP address must be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right Public DNS Server entries with the IP address set to 0 0 0 0 are not allowed Select Priva...

Page 347: ...tive response means that the ZyWALL did not receive a response for a query it sent to a DNS server within the five second DNS timeout period When the ZyWALL receives DNS queries it compares them against the DNS cache before querying a DNS server If the DNS query matches a positive entry the ZyWALL responses with the IP address from the entry If the DNS query matches a negative entry the ZyWALL rep...

Page 348: ...hich DNS resolution has failed and reduces the amount of traffic that the ZyWALL sends out to the WAN Negative Cache Period Type the time 60 to 3600 seconds that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh DNS Cache Entry Flush C...

Page 349: ...s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to t...

Page 350: ...o have a domain name The Dynamic DNS service provider will give you a password or key Note You must go to the Dynamic DNS service provider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 21 10 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost d...

Page 351: ...d the underscore Spaces are not allowed My Domain Names Domain Name 1 5 Enter the host names in these fields DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Select Dynamic if you have the Dynamic DNS service Select Static if you have the Static DNS service Select Custom if you have the Custom DNS service Offline This option is available when ...

Page 352: ...ormal WAN port does not have a connection If the WAN port specified in the WAN Interface field does not have a connection the ZyWALL will attempt to use the IP address of another WAN port to update the domain name When the WAN ports are in the active passive operating mode the ZyWALL will update the domain name with the IP address of whichever WAN port has a connection regardless of the setting in...

Page 353: ...ALL from a remote location via Note When you choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The ZyWALL automatically disconnects a remote management session of lower priority when another ...

Page 354: ...change the timeout period in the System screen 22 2 Introduction to HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication...

Page 355: ...erver 2 HTTP connection requests from a web browser go to port 80 by default on the ZyWALL s WS web server Figure 167 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 22 3 Configuring WWW To change your ZyWALL s web settings click REMOTE MGMT to open the WWW screen ...

Page 356: ... K on page 645 on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select a ZyWALL interface from Server Access on wh...

Page 357: ...if you select No then web configurator access is blocked Figure 169 Security Alert Dialog Box Internet Explorer Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP A...

Page 358: ...g if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 170 Security Certificate 1 Netscape Figure 171 Security Certifi...

Page 359: ...ified in the ZyWALL s HTTPS server certificate that your browser received Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients a Click REMOTE MGMT Write down the name of the certificate displayed in the Server Certificate field b Click CERTIFICATES Find the certificate and check its Subject column CN stands for certificate s common name see...

Page 360: ...pter 22 Remote Management Figure 172 Login Screen Internet Explorer Figure 173 Login Screen Netscape Click Login and you then see the next screen The factory default certificate is a common default certificate for all ZyWALL models ...

Page 361: ...ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 175 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 362: ... in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Figure 177 SSH Communication Example 22 6 How SSH works The following table summarizes how a secure connection is established between two remote hosts ...

Page 363: ...yption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in t...

Page 364: ...SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 15 on page 267 for details Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the...

Page 365: ...er or device name for the ZyWALL 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 180 SSH Example 1 Store Host Key Enter the password to log in to the ZyWALL The SMT main menu displays next 22 9 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH c...

Page 366: ...efer to your SSH client program user s guide 1 Enter sftp 1 192 168 1 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER 2 Enter the password to login to the ZyWALL 3 Use the ...

Page 367: ...creen appears as shown sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras U...

Page 368: ...er Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyWALL using this service Selec...

Page 369: ...red Note SNMP is only available if TCP IP is configured Table 129 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client i...

Page 370: ...of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following...

Page 371: ...ESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebo...

Page 372: ...default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL using this service Secure ...

Page 373: ...n that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details Table 132 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here Service Access Select the interface s through which a computer may send DNS queries to the ZyWALL Secure Client IP Ad...

Page 374: ...Information Registration Status This read only field displays Not Registered when Enable is not selected It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server It will continue to display Registering until it successfully registers with the Vantage CNM server It will not be able to...

Page 375: ...outer here and configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM server If the Vantage CNM server is behind a firewall you may have to create a rule on the firewall to allow UDP port 1864 traffic through to the Vantage CNM server most new ZyXEL firewalls automatically allow this Encryption Algorithm The Encryption Algorithm field is used to encrypt communications between...

Page 376: ...ZyWALL 70 User s Guide 376 Chapter 22 Remote Management ...

Page 377: ...ear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 23 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple...

Page 378: ...writing ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested The ZyWALL only sends UPnP multicasts to the LAN Please see later in this User s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 23 3 Configuring UPnP Click UPnP to display the screen shown next Figu...

Page 379: ...mple by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have...

Page 380: ...nal IP address the NAT rule has the ZyWALL forward inbound packets to the Internal Client from that IP address only External Port This field displays the port number that the ZyWALL listens on on the WAN port for connection requests destined for the NAT rule s Internal Port and Internal Client The ZyWALL forwards incoming packets from the WAN with this port number to the Internal Client on the Int...

Page 381: ...Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 382: ...ort of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Details 5 I...

Page 383: ...anel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 384: ... With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status ...

Page 385: ... Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 386: ...ZyWALL 70 User s Guide 386 Chapter 23 UPnP 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 387: ...S to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 24 3 on page 389 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error...

Page 388: ...ime the log was recorded See Section 25 5 on page 400 to configure the ZyWALL s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entry E...

Page 389: ...es such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Note Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full see Log Schedule Selecting many alert and or log categories especially Access Contr...

Page 390: ...ZyWALL 70 User s Guide 390 Chapter 24 Logs Screens Figure 194 Log Settings ...

Page 391: ...wn list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication SMTP Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another Select the check box to activate SMTP authenticati...

Page 392: ...s when an individual web page loads it may contain references to other web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits thus the web hit count is not yet 100 accurate To change your ZyWALL s log reports click LOGS then the Reports tab The scr...

Page 393: ...he ZyWALL Reset Click Reset to begin configuring this screen afresh Interface Select on which interface LAN or DMZ the logs will be collected The logs on the DMZ or LAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have...

Page 394: ...to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Table 140 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN The names are ranked by the number of visits to each web site and listed in des...

Page 395: ...able 141 Protocol Port Report LABEL DESCRIPTION Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN or DMZ This fiel...

Page 396: ...AN to the LAN or DMZ This field displays Outgoing to denote traffic that is going out from the LAN or DMZ to the WAN Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kbytes Mbytes or Gbytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traffic sent to and fr...

Page 397: ...tification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click Start My Computer View system information and then click the Comput...

Page 398: ...not allowed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or SMT can be left idle before ...

Page 399: ...onization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried Table 145 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type your new system password up to 30 characters N...

Page 400: ...date click MAINTENANCE then the Time and Date tab The screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 201 Time and Date ntp cs strath ac uk ntp1 sp se time1 stupi se tick stdtime gov tw tock stdtime gov tw time stdtime gov tw Table 146 Default Time Servers ...

Page 401: ...y Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the...

Page 402: ... Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The ...

Page 403: ...ful the following screen appears Click Return to go back to the Time and Date screen Figure 204 Synchronization Fail 25 6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port All fu...

Page 404: ...s flooded to all ports except the inbound port Broadcasts and multicasts also are flooded in this way If the associated port is the same as the incoming port then the frame is dropped filtered 25 7 Transparent Firewalls A transparent firewall also known as a transparent in line shadow stealth or bridging firewall has the following advantages over router firewalls 1 The use of a bridging firewall r...

Page 405: ... click MAINTENANCE then the Device Mode tab When the ZyWALL is in router mode the screen appears as shown next Figure 205 Device Mode Router Mode The following table describes the labels in this screen Table 149 Device Mode Router Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router When the ZyWALL i...

Page 406: ...nfigured in the IP Address field to access the ZyWALL again Reset Click Reset to begin configuring this screen afresh Table 150 Device Mode Bridge Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode LAN Interface IP Address En...

Page 407: ...acting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP ad...

Page 408: ...ocess The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 151 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decom...

Page 409: ... not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 210 Firmware Upload Error 25 10 Configuration Screen See Section 40 5 on page 532 for transferring configuration files using FTP TFTP commands Click MAINTENANCE and then the Configuration tab Information related to factory defaults backup configuration and restoring configuration appears as sho...

Page 410: ... in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 25 10 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL Table 152 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this f...

Page 411: ...ime causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 213 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See your Quick Start Guide for details on how to set up your...

Page 412: ...e screen The following warning screen will appear Figure 215 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL Refer to Section 2 3 on page 60 for more information on the RESET button 25 11 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off Click MAINTENANCE and then Restart Click Restar...

Page 413: ...ZyWALL 70 User s Guide Chapter 25 Maintenance 413 Figure 216 Restart Screen ...

Page 414: ...ZyWALL 70 User s Guide 414 Chapter 25 Maintenance ...

Page 415: ... Terminal menus via console port how to navigate the SMT and how to configure SMT menus 26 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud...

Page 416: ... SMT is an interface that you use to configure your ZyWALL Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Copyright c 1994 2004 ZyXEL Communications Corp initialize ch 0 ethernet address 00 A0 C5 01 23 45 initialize ch 1 ethernet address 00 A0 C5 01 23 46 initialize ch 2 ethernet address 00 A0 C5 01 23 47 initialize ...

Page 417: ...ress SPACE BAR then press ENTER to select from choices You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields All fields with the symbol must be filled in order be able to save the new configuration N A fields N A Some of the fields in the SMT will show ...

Page 418: ...Setup 6 Route Setup 26 Schedule Setup Advanced Applications 11 Remote Node Setup 12 Static Routing Setup 15 NAT Setup 99 Exit Enter Menu Selection Number Copyright c 1994 2004 ZyXEL Communications Corp ZyWALL 70 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter and Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 99 Exit Enter Menu Selection Numbe...

Page 419: ...ers activate deactivate the firewall and view the firewall log 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Password Change your password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 25 IP Routing Policy Setup From displaying system status to uploading fir...

Page 420: ...ons 11 3 3 Remote Node Script 11 3 4 Remote Node Filter 12 Static Routing Setup 12 1 Edit Static Route Setup 15 NAT Setup 15 1 Address Mapping Sets 15 1 x Address Mapping Rules 15 1 x x Address Mapping Rule 15 2 NAT Server Sets 15 2 x NAT Server Setup 15 2 x x NAT Server Configuration 15 3 Trigger Ports 15 3 x Trigger Port Setup 21 Filter and Firewall Setup 21 1 Filter Set Configuration 21 1 x Fil...

Page 421: ...nd Trace 24 3 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Management 24 9 2 Call History 24 10 Time and Date Setting 24 11 Remote Management Setup 25 IP ...

Page 422: ...rd and press ENTER 4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an x for each character you type 26 5 Resetting the ZyWALL See Chapter 2 on page 59 for directions on resetting the ZyWALL Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL ...

Page 423: ...de Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 156 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Domain Name Enter ...

Page 424: ...s 192 168 1 1 Network Mask 255 255 255 0 Gateway 0 0 0 0 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 157 Menu 1 General Setup Bridge Mode FIELD DESCRIPTION Device Mode Press SPACE BAR and then ENTER to select Bridge Mode IP Address Enter the IP address of your ZyWALL ...

Page 425: ...ress SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS 4 Press SPACE BAR and then ENTER to select Yes in the Edit Host field Press ENTER to display Menu 1 1 1 DDNS Host Summary Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 158 Menu 1 1 Co...

Page 426: ...____________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 159 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete Next Page or Previous Page and then press ENTER You must selec...

Page 427: ...e when CustomDNS is selected in the DDNS Type field Press SPACE BAR and then ENTER to select Yes When Yes is selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details Bind WAN Enter the WAN port to use for updating the IP address of the domain name HA Press SPACE BAR and then ENTER to select Yes to enable the high availability HA ...

Page 428: ...or more NAT routers between the ZyWALL and the DDNS server Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Use User Defined Press SPACE BAR t...

Page 429: ... to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection 28 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 227 MAC Address Cloning in WAN Setup Menu 2 WAN Setup WAN 1 MAC Address Assigned By Factory default IP Address N A WAN 2 MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String ...

Page 430: ... for information on an alternate backup WAN connection 28 4 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 161 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 2 MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP add...

Page 431: ...PTION Dial Backup Active Use this field to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your ...

Page 432: ... Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR ...

Page 433: ...hone number before blacklisting the number Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a numbe...

Page 434: ...t the PPP options for this remote node This brings you to Menu 11 3 1 Remote Node PPP Options see Section 28 7 on page 435 Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 2 Remote Node Network Layer Options See Section 28 8 on page 435 for more information Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT scr...

Page 435: ...ffic from the ZyWALL to the remote node that can elapse before the ZyWALL automatically disconnects the PPP connection This option only applies when the ZyWALL initiates the call Once you have configured this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 165 Menu 11 3 Remote Node Profile Backup ISP continued FIELD DESCRIP...

Page 436: ... WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Enter your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote router Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used ...

Page 437: ...s the SMT will use the pre configured Set 1 in menu 15 1 for the first WAN port Set 2 in menu 15 1 for the second WAN port and Set 3 for the Backup port Refer to Section 35 2 on page 475 for more information Metric Enter a number from 1 to 15 to set this route s priority among the ZyWALL s routes The smaller the number the higher priority the route has Private This parameter determines if the ZyWA...

Page 438: ...cessing and start PPP negotiation This implies two things first the sets must be contiguous the sets after an empty one are ignored Second the last set should match the final message sent by the server For instance if the server prints login successful Starting PPP after you enter the password then you should create a third set to match the final PPP but without a Send string Otherwise the ZyWALL ...

Page 439: ...filter field Note that spaces are accepted in this field Please refer to Chapter 37 on page 495 for more information on defining the filters Figure 234 Menu 11 3 4 Remote Node Filter Table 168 Menu 11 3 3 Remote Node Script FIELD DESCRIPTION Active Press SPACE BAR and then ENTER to select either Yes to enable the AT strings or No to disable them Set 1 6 Expect Enter an Expect string to match After...

Page 440: ...ZyWALL 70 User s Guide 440 Chapter 28 WAN and Dial Backup Setup ...

Page 441: ... the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 235 Menu 3 LAN Setup 29 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Set...

Page 442: ... IP and DHCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and D...

Page 443: ...If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients When set to Server the following items need to be set Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address...

Page 444: ...h In Only Out Only or None Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group The ZyWALL supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press SPACE BAR and then ENTER to enable IP Multicasting or select None defa...

Page 445: ...LAN network for the ZyWALL IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Onl...

Page 446: ...de ESSID No Channel ID CH06 2437MHz RTS Threshold 2432 Frag Threshold 2432 WEP Disable Default Key N A Key1 N A Key2 N A Key3 N A Key4 N A Edit MAC Address Filter No Press ENTER to Confirm or ESC to Cancel Table 172 Menu 3 5 Wireless LAN Setup FIELD DESCRIPTION Enable Wireless LAN Press SPACE BAR to select Yes to turn on the wireless LAN The wireless LAN is off by default Configure wireless LAN se...

Page 447: ...Frag Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 WEP Select Disable to allow wireless stations to communicate with the access points without any data encryption Select 64 bit WEP or 128 bit WEP to enable data encryption Default Key Enter the key number 1 to 4 in...

Page 448: ...5 1 WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering press SPACE BAR to select Yes and press ENTER Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table To deny access to the ZyWALL press SPACE BAR to select Deny Association and press ENTER MAC addresses not listed will be allowed to access the router The default action...

Page 449: ... Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use 30 2 Ethernet Encapsulation If you choose Ethernet in menu 4 you will see the next menu Figure 242 Menu 4 Internet Access Setup Ethernet Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N...

Page 450: ...ALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins IP Address Assignment If your ISP did not assign you a fixed IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address and subnet mask in the following fields IP Address Enter the fixed IP address assigned...

Page 451: ...you choose PPTP in the Encapsulation field in menu 4 30 4 Configuring the PPPoE Client If you enable PPPoE in menu 4 you will see the next screen For more information on PPPoE please see Appendix E on page 603 Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPTP Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subn...

Page 452: ...the Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPPoE Service Type N A My Login My Password Retype to ...

Page 453: ...to specify the filter sets that you wish to apply to your public server s traffic Figure 246 Menu 5 1 DMZ Port Filter Setup 31 3 TCP IP Setup For more detailed information about RIP setup IP Multicast and IP alias please refer to Chapter 4 on page 93 Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters...

Page 454: ... how to configure these fields Note DMZ and LAN IP addresses must be on separate subnets You must also configure NAT for the DMZ port see Chapter 35 on page 473 in menus 15 1 and 15 2 31 3 2 IP Alias Setup You must use menu 5 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing E...

Page 455: ...ias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL ...

Page 456: ...ZyWALL 70 User s Guide 456 Chapter 31 DMZ Setup ...

Page 457: ...figure traffic redirect properties Figure 251 Menu 6 1 Route Assessment Menu 6 Route Setup 1 Route Assessment 2 Traffic Redirect 3 Route Failover Enter Menu Selection Number Menu 6 1 Route Assessment Probing WAN 1 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing WAN 2 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing Traffic Redirection Ch...

Page 458: ... Point Press SPACE BAR and then press ENTER to choose Yes to test your ZyWALL s traffic redirect connection If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer for example your ISP s DNS server address in the Check Point field the ZyWALL will use the default gateway IP address When you have completed this menu ...

Page 459: ...to Confirm or ESC to Cancel Table 179 Menu 6 3 Route Failover FIELD DESCRIPTION Period Type the number of seconds for the ZyWALL to wait between checks to see if it can connect to the WAN IP address in the Check Point field of menu 6 1 or the default gateway Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds for your ZyWALL to wait for a ping ...

Page 460: ...ZyWALL 70 User s Guide 460 Chapter 32 Route Setup ...

Page 461: ... 2 Remote Node Profile Menu 11 x 2 Remote Node Network Layer Options and Menu 11 x 4 Remote Node Filter 33 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Then enter 1 or 2 to open Menu 11 x Remote Node Profile and configure the setup for your first or second WAN port Enter 3 to open Menu 11 3 Remote Node Profile Backup ISP and configure t...

Page 462: ...thernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP encapsulation Service Type Press SPACE BAR and t...

Page 463: ...s field is available when you select Telia Login in the Service Type field The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins Route This field refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden men...

Page 464: ...p regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers fl...

Page 465: ...field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour Schedules You can apply up to four schedule...

Page 466: ... 100 Server IP Addr 10 0 0 138 Connection ID Name Press ENTER to Confirm or ESC to Cancel Table 182 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter the IP address of the WAN Ethernet port My...

Page 467: ...encapsulation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the ...

Page 468: ...from 1 to 15 to set this route s priority among the ZyWALL s routes see Section 7 5 on page 135 The smaller the number the higher priority the route has Private This field is valid only for PPTP PPPoE encapsulation This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No...

Page 469: ... Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 470: ...ZyWALL 70 User s Guide 470 Chapter 33 Remote Node Setup ...

Page 471: ...amic WAN IP address indicating the static route is inactive Figure 261 Menu 12 IP Static Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 Reserved 16 ________ 31 ________ 46 ________ 2 Reserved 17 ________ 32 ________ 47 ________ 3 ________ 18 ________ 33 ________ 48 ________ 4 ________ 19 ________ 34 ________ 49 ________ 5 _____...

Page 472: ...55 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the g...

Page 473: ... types of mapping Many to One and Server See Section 35 2 1 on page 476 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Note Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple ...

Page 474: ...ying NAT to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Node ...

Page 475: ...nu to bring up the following screen Figure 265 Menu 15 NAT Setup Note Configure DMZ and LAN IP addresses in NAT menus 15 1 and 15 2 DMZ IP addresses must be on subnets separate from LAN IP addresses Table 185 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 1 see Section 35 2 1 on page 47...

Page 476: ... 1 on page 473 The fields in this menu cannot be changed Figure 267 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this menu Menu 15 1 Address Mapping Sets 1 NAT_SET 2 example 255 SUA read only Enter Menu Selection Number Menu 15 1 1 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 ...

Page 477: ...e name of the set you selected in menu 15 1 or enter the name of a new set you want to create Idx This is the index or rule number Local Start IP Local Start IP is the starting local IP address ILA Local End IP Local End IP is the ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global I...

Page 478: ... number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 Menu 15 1 1 Address Mapping Rules Set Name NAT_SET ...

Page 479: ... 1 1 1 Editing Configuring an Individual Rule in a Set Action The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a rule before the rule selected The rules after the selected rule will then be moved down by one rule Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule None disa...

Page 480: ...types behind NAT to this computer See Section 35 4 3 on page 485 for an example Local IP Only local IP fields are N A for server Global IP fields MUST be set for Server Start Enter the starting local IP address ILA End Enter the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One and Server...

Page 481: ...onfigure in the Select Rule field and press ENTER to open Menu 15 2 1 2 NAT Server Configuration see the next figure Menu 15 2 NAT Server Sets 1 Server Set 1 2 Server Set 2 Enter Set Number to Edit Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 ...

Page 482: ...d port 25 IP Address 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Table 189 15 2 1 2 NAT Server Configuration FIELD DESCRIPTION WAN The ZyWALL has two WAN ports You can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port This is the WAN port server set you select in menu 15 2 Index This is the index number of an individ...

Page 483: ...4 1 Internet Access Only In the following Internet access example you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No ...

Page 484: ...n page 483 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N...

Page 485: ...ver All departments share the same router The example will reserve one IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two uni directional as follows Menu 15 2 1 NA...

Page 486: ... 279 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 280 on page 487 2 Then enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name ...

Page 487: ...ork Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation SUA Only Metric 2 Private RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER t...

Page 488: ... to Menu 15 2 NAT Server Sets 3 Now enter 1 from this menu and configure it as shown in Figure 283 on page 489 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press EN...

Page 489: ... such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80...

Page 490: ...ddress Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M 1 1 2 3 4 5 6 7 8 9 1...

Page 491: ...t a service with a specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you d...

Page 492: ...ters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Enter a port number or the starting port number in a range of port numbers End Port Enter a port number or the...

Page 493: ...tion to display the screen shown next Figure 288 Menu 21 Filter and Firewall Setup 36 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu ...

Page 494: ...tects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER t...

Page 495: ...lowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data f...

Page 496: ...rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnet se...

Page 497: ...onfiguration 497 Figure 291 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 498: ... 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary This screen shows the summary of the existing rules in the filter set The following tables contain a brief description of the abbreviations used in the previous menus Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filter Fil...

Page 499: ...are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately an...

Page 500: ...Filter Rule as shown next Figure 294 Menu 21 1 1 1 TCP IP Filter Rule The following table describes how to configure your TCP IP filter rule Menu 21 1 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr IP Mask Port Port Comp None Source IP Addr IP Mask Port Port Comp None TCP Estab N A More No Log None Action Matched Che...

Page 501: ...stab This field is applicable only when the IP Protocol field is 6 TCP Press SPACE BAR and then ENTER to select Yes to have the rule match packets that want to establish a TCP connection SYN 1 and ACK 0 if No it is ignored More Press SPACE BAR and then ENTER to select Yes or No If Yes a matching packet is passed to the next filter rule before an action is taken if No the packet is disposed of acco...

Page 502: ...r s Guide 502 Chapter 37 Filter Configuration Figure 295 Executing an IP Filter 37 2 3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is ...

Page 503: ...ric Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 194 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule co ordinates i e 2 3 refers to the second filter set and the third ru...

Page 504: ...g packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be No Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not ma...

Page 505: ...d A Y a TCP IP filter rule Type IP Pr 6 for destination telnet ports DP 23 Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward ...

Page 506: ...les Generic filter rules act on the raw data from to LAN and WAN Protocol filter rules act on the IP packets Generic and TCP IP filter rules are discussed in more detail in the next section When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Th...

Page 507: ...nd output filter sets filter outgoing traffic from the ZyWALL For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Figure 301 Filtering LAN Traffic 37 6 2 Applying DMZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter ...

Page 508: ...bers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 303 Filtering Remote Node Traffic Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 11 1 4 Remote Node Filter ...

Page 509: ...sted Host 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 195 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station...

Page 510: ...RIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooti...

Page 511: ...tion on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu ...

Page 512: ... 01 23 48 0 0 0 0 0 0 0 0 Client LAN 00 A0 C5 01 23 45 192 168 1 1 255 255 255 0 Server WLAN 00 00 00 00 00 00 DMZ 00 A0 C5 01 23 47 0 0 0 0 0 0 0 0 None System up Time 2 35 47 Press Command COMMANDS 1 2 Drop WAN1 2 9 Reset Counters ESC Exit Table 197 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies a port WAN1 WAN2 LAN WLAN or DMZ on the ZyWALL Status This field ...

Page 513: ... Console Port Speed 39 3 1 System Information System Information gives you information about your system as shown below More specifically it gives you information on your routing protocol Ethernet address IP address etc IP Mask This is the IP mask of the port listed on the left DHCP This is the DHCP setting of the port listed on the left System up Time This is the total time the ZyWALL has been on...

Page 514: ...1 23 45 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 198 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version of...

Page 515: ...main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 310 Menu 24 3 System Maintenance Log and Trace Examples of typical e...

Page 516: ...3 link up 55 Thu Jul 1 05 54 56 2004 PP0d INFO LAN promiscuous mode 0 57 Thu Jul 1 05 54 56 2004 PP0d INFO LAN promiscuous mode 1 58 Thu Jul 1 05 54 56 2004 PINI INFO Last errorlog repeat 1 Times 59 Thu Jul 1 05 54 56 2004 PINI INFO main init completed 60 Thu Jul 1 05 55 26 2004 PSSV WARN SNMP TRAP 0 cold start 61 Thu Jul 1 05 56 56 2004 PINI INFO SMT Session Begin 62 Thu Jul 1 07 50 58 2004 PINI ...

Page 517: ...e No ch channel No L02 Tunnel Connected L2TP C02 OutCall Connected xxxx means connected speed xxxxx means Remote Call Number L02 Call Terminated C02 Call Terminated Jul 19 11 19 27 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ...

Page 518: ...at SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZyXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZyXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZyXEL ppp CCP Closing Firewall Log Message Format SdcmdSyslogSend SYSLOG_FIRE...

Page 519: ...as shown next IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination P...

Page 520: ...can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 x 2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 315 WAN LA...

Page 521: ... the Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to Chapter 30 on page 449 for more details This feature is only available for dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL WAN If you entered 2 or 3 in the Enter Menu Selection Number field enter the number of the WAN port in this field Host IP Addres...

Page 522: ...ZyWALL 70 User s Guide 522 Chapter 39 System Information Diagnosis ...

Page 523: ...site to use to upgrade your ZyWALL s performance 40 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing...

Page 524: ...t ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the do...

Page 525: ...he ZyWALL to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as ...

Page 526: ...tp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 202 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to...

Page 527: ...ys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the ZyWAL...

Page 528: ...tem Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Table 203 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL 192 168 1 1 is the ZyWALL s default IP address when shipped Send Fetch Use Send to upload the file to the ZyWALL and Fetch to back up ...

Page 529: ...ation before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Note WARNING Do not interrupt th...

Page 530: ...uit to exit the ftp prompt The ZyWALL will automatically restart after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfi...

Page 531: ...lar 1 Display menu 24 6 and enter y at the following screen Figure 324 System Maintenance Restore Configuration 2 The following screen indicates that the Xmodem download has started Figure 325 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ftp put config rom rom 0 200 Port command okay 150 Open...

Page 532: ... you how to upload firmware and configuration files You can upload configuration files by following the procedure in Section 40 4 on page 529 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port Note WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL 40 5 1 Firmware File Upload FTP is the pre...

Page 533: ... commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on y...

Page 534: ...mes it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt 40 5 4 FTP Session Example of Firmware File Upload Figure 330 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Section 40 3 5 on page 526 to read about configurations that disallow TFTP and...

Page 535: ...ansfer from the ZyWALL to the computer put the other way around and binary to set binary transfer mode 40 5 6 TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of...

Page 536: ...re upload process has completed the ZyWALL will automatically restart 40 5 10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter ...

Page 537: ...process has completed restart the ZyWALL by entering atgo Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restar...

Page 538: ...ZyWALL 70 User s Guide 538 Chapter 40 Firmware and Configuration File Maintenance ...

Page 539: ...nly available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Note Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 335 Command Mode in Menu 24 41 1 1 Command Syntax The command keywords are in courier new font Enter the command keywords exactl...

Page 540: ...ec ppp bridge bm certificates cnm 8021x radius ras Table 204 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether These commands display Ethernet information and configure Ethernet settings aux These commands display dial backup information and control dial backup connections ip ...

Page 541: ...tal outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 337 Call Control 41 2 1 Budget Management Menu 24 9 1 shows the budget man...

Page 542: ...ing and outgoing calls Enter 2 from Menu 24 9 System Maintenance Call Control to bring up the following menu Menu 24 9 1 Budget Management Remote Node Connection Time Total Budget Elapsed Time Total Period 1 WAN_1 No Budget No Budget 2 WAN_2 No Budget No Budget 3 Dial No Budget No Budget Reset Node 0 to update screen Table 205 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index...

Page 543: ...enu 24 in the main menu to open Menu 24 System Maintenance as shown next Menu 24 9 2 Call History Phone Number Dir Rate call Max Min Total 1 2 3 4 5 6 7 8 9 10 Enter Entry to Delete 0 to exit Table 206 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This is th...

Page 544: ...tem Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Upload Firmware 8 Command Interpreter Mode 9 Call Control 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number Menu 24 10 System Maintenance Time and Date Setting Time Protocol NTP RFC 1305 Time Server Address a ntp alphazed net Current Time 08 24 26 New T...

Page 545: ... this menu New Date Enter the new date in year month and day format This field is available when you select Manual in the Time Protocol field Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Time GMT Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local ...

Page 546: ...using Daylight Saving Time at 2 A M local time So in the United States you would select Oct Last Sun and type 02 in the hr field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Oct Last Sun The time you type in the h...

Page 547: ...ich ZyWALL interface if any from which computers You may manage your ZyWALL from a remote location via Note When you Choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Internet WAN only A...

Page 548: ...24 11 Remote Management Control FIELD DESCRIPTION Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you may use to remotely manage the ZyWALL Port This field shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the ZyWALL Ac...

Page 549: ...management session with an equal or higher priority running You may only have one remote management session running at one time 6 There is a firewall rule that blocks it Authenticate Client Certificates Select Yes by pressing SPACE BAR then ENTER to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate To do that the SSL client must have a CA signed certif...

Page 550: ...ZyWALL 70 User s Guide 550 Chapter 42 Remote Management ...

Page 551: ...01 N SA 1 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 002 N _______________________________________________________ _______________________________________________________ 003 N _______________________________________________________ _______________________________________________________ 004 N _______________________________________________________ __...

Page 552: ... rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively Select Rule Type the policy index number you wish to edit or delete and then press ENTER When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to sav...

Page 553: ...recedence 0 Edit policy to packets received from No Press ENTER to Confirm or ESC to Cancel Table 211 Menu 25 1 IP Routing Policy Setup FIELD DESCRIPTION Rule Index This is the index number of the routing policy selected in Menu 25 IP Routing Policy Summary Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria IP Protocol Enter a number that represents an IP layer 4 p...

Page 554: ...Type field Defines the outgoing gateway address The gateway must be on the same subnet as the ZYWALL if it is on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Remote Node Idx This field displays if you selected Remote Node in the Gateway Type field Type 1 for WAN port 1 or 2 for WAN port 2 Redirect Packet This field applies if you...

Page 555: ...nts the configured IP route Menu 25 1 1 IP Routing Policy Setup Apply policy to packets received from LAN No DMZ No ALL WAN Yes Selected Remote Node index N A Press ENTER to Confirm or ESC to Cancel Table 212 Menu 25 1 1 IP Routing Policy Setup FIELD DESCRIPTION LAN DMZ ALL WAN Press SPACE BAR to select Yes or No Choose Yes and press ENTER to apply the policy to packets received on the specific in...

Page 556: ...pply the policy to packets received on the LAN port 3 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 192 168 1 33 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end N ...

Page 557: ... 6 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 2 Active No Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 0 0 0 0 end N A port start 0 end N A Destination addr start 0 0 0 0 end N A port start 20 end 21 Action Matched Gateway Type IP Address Gate...

Page 558: ...ZyWALL 70 User s Guide 558 Chapter 43 IP Policy Routing ...

Page 559: ... are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node Note To delete a schedule set enter the set number and press SPACE BAR and then ENTER or DEL in ...

Page 560: ...ly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusive If Once is selected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the pres...

Page 561: ... period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your c...

Page 562: ...Active Yes Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel ...

Page 563: ...e If the error persists you may have a hardware problem In this case you should contact your vendor Cannot access the ZyWALL via the console port 1 Check to see if the ZyWALL is connected to your computer s console port 2 Check to see if the communications program is configured correctly The communications software should be configured as follows VT100 terminal emulation 9600 bps is the default sp...

Page 564: ...ARP Address Resolution Protocol table may contain an entry that maps the management IP address to the previous device s MAC address In Windows use arp d at the command prompt to delete all entries in your computer s ARP table Table 215 Troubleshooting the LAN Interface continued PROBLEM CORRECTIVE ACTION Table 216 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access servers on...

Page 565: ...ded that you clone your computer s MAC address even if your ISP presently does not require MAC address authentication If your ISP requires host name authentication configure your computer s name as the ZyWALL s system name Refer to Chapter 3 on page 75 or Chapter 27 on page 423 Table 218 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the ZyWALL The default password is...

Page 566: ... have configured a secured client IP address your computer s IP address must match it Refer to the chapter on remote management for details Your computer s and the ZyWALL s IP addresses must be on the same subnet for LAN access If you changed the ZyWALL s LAN IP address then enter the new one as the URL Remove any filters in SMT menu 3 1 LAN or menu 11 5 WAN that block web service See the followin...

Page 567: ...ure 353 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 354 Internet Options 3 Click Apply to save this setting ...

Page 568: ... following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen Figure 355 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP address to the list of Allowed sites ...

Page 569: ... Click Close to return to the Privacy screen 6 Click Apply to save this setting 45 5 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab ...

Page 570: ... 357 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Click OK to close the window ...

Page 571: ...s Java Scripting 45 5 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window ...

Page 572: ...ubleshooting Figure 359 Security Settings Java 45 5 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 573: ...ZyWALL 70 User s Guide Chapter 45 Troubleshooting 573 Figure 360 Java Sun ...

Page 574: ...ZyWALL 70 User s Guide 574 Chapter 45 Troubleshooting ...

Page 575: ...45 Ethernet port WAN1 WAN2 Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports 4 port DMZ 4 Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports Reset Button Restores factory default settings Console RS 232 DB9F Dial Backup RS 232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card Operation Temperature 0º C 50º C Storage Temperature 30º C 60º C Ope...

Page 576: ...User Authentication Internal Database and External RADIUS DH1 2 RSA signature Content Filtering Web page blocking by URL keyword IKE PKI support External database content filtering Java ActiveX Cookie News blocking Traffic Management Guaranteed Maximum Bandwidth Policy based Traffic shaping Priority bandwidth utilization Static Routes High Availability HA Auto fail over fall back Dial Backup Dual ...

Page 577: ... Protocol link layer protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Other Features Transparent Firewall Bridge mode Load Balancing Dynamic DNS IP Alias Static Routes IP Policy Routing Bandwidth Management Table 222 Feature Specifications FEAT...

Page 578: ...in connector end of the PCMCIA or CardBus wireless LAN card into the slot as shown next Note Only certain ZyXEL wireless LAN cards are compatible with the ZyWALL Do not force bend or twist the wireless LAN card Number of DNS Address Record Entries 8 Number of DNS Name Server Record Entries 16 Table 222 Feature Specifications continued FEATURE SPECIFICATION Table 223 Compatible ZyXEL WLAN Cards and...

Page 579: ...unications connection generally a computer is DTE Data Terminal Equipment and a modem is DCE Data Circuit terminating Equipment The ZyWALL is DCE when you connect a computer to the console port The ZyWALL is DTE when you connect a modem to the dial backup port 2 Figure 362 Console Dial Backup Port Pin Layout 2 Pins 2 3 and 5 are used ...

Page 580: ...D Pin 4 DCE DSR Pin 5 GND Pin 6 DCE DTR Pin 7 DCE CTS Pin 8 DCE RTS PIN 9 NON Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON The CON AUX port also has these pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments ZyWALLs with a CON AUX port also have a 9 pin...

Page 581: ...en the power switch and the power port Use a small flat head screwdriver to carefully pry out the fuse housing 4 A burnt out fuse is blackened darkened or cloudy inside its glass casing A working fuse has a completely clear glass casing Pull gently but firmly to remove the burnt out fuse from the fuse housing Dispose of the burnt out fuse Installing a Fuse 1 The ZyWALL is shipped from the factory ...

Page 582: ...ZyWALL 70 User s Guide 582 Appendix B Removing and Installing a Fuse ...

Page 583: ...1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that y...

Page 584: ...Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK ...

Page 585: ...apter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 365 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS informatio...

Page 586: ...ose the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default ga...

Page 587: ...er s IP Address 587 Figure 367 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 368 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 588: ...nections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 370 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 589: ...ure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default...

Page 590: ...he General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 591: ...work Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Ma...

Page 592: ...ng up Your Computer s IP Address Figure 374 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 375 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 593: ...k Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 376 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the ...

Page 594: ...ing From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 595: ...ss the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for futur...

Page 596: ...host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network nu...

Page 597: ...ss 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 25...

Page 598: ... 255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Table 230 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 101...

Page 599: ...0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 233 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111...

Page 600: ...11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 236 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 237 Class C Subnet Planning ...

Page 601: ...subnetting The following table is a summary for class B subnet planning Table 238 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 ...

Page 602: ...ZyWALL 70 User s Guide 602 Appendix D IP Subnetting ...

Page 603: ... a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP to use t...

Page 604: ...ess Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the computer and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the comp...

Page 605: ...is that it requires one separate ATM VC per destination Figure 380 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a computer to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network ...

Page 606: ...lity The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Figure 381 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the computer and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an RF...

Page 607: ...essage Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 608: ...ZyWALL 70 User s Guide 608 Appendix F PPTP ...

Page 609: ...k or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 383 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS tr...

Page 610: ...red connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the s...

Page 611: ...overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range...

Page 612: ...nsmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the...

Page 613: ...g preamble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in noisy networks Select Dynamic to have the AP automatically use short preamble when all wireless stations support it otherwise the AP ...

Page 614: ... wireless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the ...

Page 615: ...anged is also encrypted to protect the network from unauthorized access EAP Authentication EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server per...

Page 616: ...authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless stations for mutual authentication The serv...

Page 617: ...ation EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access poi...

Page 618: ...age using the AP s default WEP key If the decrypted message matches the challenge text the wireless station is authenticated When your device authentication method is set to open system it will only accept open system authentication requests The same is true for shared key authentication However when it is set to auto authentication the device will accept either type of authentication request and ...

Page 619: ...ge Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique ...

Page 620: ...word guessing attacks but it s still an improvement over WEP as it employs an easier to use consistent single alphanumeric password Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Roaming A wireless...

Page 621: ...N about the change The new information is then propagated to the other access points on the LAN An example is shown in Figure 389 If the roaming feature is not enabled on the access points information is not communicated between the access points when a wireless station moves between coverage areas The wireless station may not be able to communicate with other wireless stations on the network and ...

Page 622: ...E 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station 3 The adjacent access points should use different radio channels when their coverage areas overlap 4 All access points must use the same port number to relay roaming information 5 The access points must be connected to the Ethernet and be able ...

Page 623: ...ing data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the SYN packet throug...

Page 624: ...faces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet to Gateway B which is in th...

Page 625: ... ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Figure 393 Gateways on the WAN Side Configuring Triangle Route via Commands 1 From the SMT main menu enter 24 2 Enter 8 in menu 24 to enter CI command mode 3 Use the following command to allow triangle route sys firewall ignore triangle all on or this command to disallow triangle route...

Page 626: ...ZyWALL 70 User s Guide 626 Appendix H Triangle Route ...

Page 627: ...as a SIP address A complete SIP identity is called a SIP URI Uniform Resource Identifier A SIP account s URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail account The format of a SIP identity is SIP Number SIP Service Domain SIP Number The SIP number is the part of the SIP URI that comes before the symbol A SIP number can use letters like in an e mai...

Page 628: ...ends SIP requests A SIP server responds to the SIP requests When you use SIP to make a VoIP call it originates at a client and terminates at a server A SIP client could be a computer or a SIP phone One device can act as both a SIP client and a SIP server SIP User Agent Server A SIP user agent server can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communic...

Page 629: ...ress to an IP address and sends the translated IP address back to the device that sent the request Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example you want to use client device A to call someone who is using client device C 1 Client devic...

Page 630: ...s through NAT by examining and translating IP addresses embedded in the data stream When a VoIP device SIP client behind the SIP ALG registers with the SIP register server the SIP ALG translates the device s private IP address inside the SIP data stream to a public IP address You do not need to use STUN if your VoIP device is behind the SIP ALG STUN STUN Simple Traversal of User Datagram Protocol ...

Page 631: ...LL dynamically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN The SIP ALG on the ZyWALL supports all NAT mapping types including One to One Many to One Many to Many Overload and Many One to One SIP ALG and Firewall The ZyWALL creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN The firewall rule is cre...

Page 632: ...le behind the ZyWALL without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling Session Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no call during the ZyW...

Page 633: ... manually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Remote Gateway Address to 0 0 0 0 A single dynamic rule can support multiple simultaneous incoming IPSec connections All users of a dynamic rule have the same pre shared key You may need to change the pre shared key if one of the users leaves See the support n...

Page 634: ... Address settings with your own values VPN Configuration This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the following screen Click the add gateway policy icon to add an IPSec rule or gateway policy Figure 398 VPN Rules 2 Configure the screens in the headquarters and the branch office as follows and click Apply The pre shared key must be exactl...

Page 635: ...ZyWALL 70 User s Guide Appendix J VPN Setup 635 Figure 399 Headquarters Gateway Policy Edit The IP address of the branch ...

Page 636: ...Guide 636 Appendix J VPN Setup Figure 400 Branch Office Gateway Policy Edit 3 Click the add network policy icon next to the BRANCH gateway policy to configure a VPN policy The IP address of the headquarters IPSec router ...

Page 637: ...ALL 70 User s Guide Appendix J VPN Setup 637 Figure 401 Headquarters VPN Rule Figure 402 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply ...

Page 638: ...ZyWALL 70 User s Guide 638 Appendix J VPN Setup Figure 403 Headquarters Network Policy Edit IP addresses on different subnets Activate the network policy ...

Page 639: ...etwork Policy Edit Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel click the dial icon in the VPN Rules IKE screen to have the IPSec routers set up the tunnel IP addresses on different subnets Activate the network policy ...

Page 640: ...Guide 640 Appendix J VPN Setup Figure 405 VPN Rule Configured The following screen displays Figure 406 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel Figure 407 VPN Tunnel Established ...

Page 641: ... routers Check the settings in each field methodically and slowly VPN Log The system log can often help to identify a configuration problem Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends clear the log and then build the tunnel View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24 8 See Appendix R on page 677...

Page 642: ... 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 11 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Start Phase 2 Quick Mode 12 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 13 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Phase 1 IKE SA process done 14 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5...

Page 643: ...All ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec debug level 3 ras ipsec dial 1 get_ipsec_sa_by_policyIndex Start dialing for tunnel rule 1 ikeStartNegotiate saIndex 0 peerIp 5 1 2 3 protocol IPSEC_ESP 3 peer Ip 5 1 2 3 initiator type IPSEC_ESP exch Main initiator protocol IPSEC_ESP exchange mode Main mode find_ipsec_sa find ipsec s...

Page 644: ...u were at the office instead of connected through the Internet FTP Example The following example shows a text based login from a branch office computer to an FTP server behind the remote IPSec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 399 on page 635 C Documents and Settings Administrator ftp 192 168 10 33 Connecte...

Page 645: ... Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority import the certificate authority s certificate into your operat...

Page 646: ...endix K Importing Certificates Figure 411 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 412 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 647: ...Importing Certificates 647 Figure 413 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 414 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 648: ...ZyWALL 70 User s Guide 648 Appendix K Importing Certificates Figure 415 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 416 Root Certificate Store ...

Page 649: ...eds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 650: ...d CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 651: ...e wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 652: ...icate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 421 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 653: ...ort Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 423 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 654: ... 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 426 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even ...

Page 655: ...ZyWALL 70 User s Guide Appendix K Importing Certificates 655 Figure 427 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 428 ZyWALL Secure Login Screen ...

Page 656: ...ZyWALL 70 User s Guide 656 Appendix K Importing Certificates ...

Page 657: ...nit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of net...

Page 658: ...ZyWALL 70 User s Guide 658 Appendix L Command Interpreter ...

Page 659: ...config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears config display firewall set set rule rule This command...

Page 660: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyWALL is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send alert yes no T...

Page 661: ...h the same destination where the ZyWALL starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp...

Page 662: ...command sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyWALL sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule srcaddr single ip address This command sets the rule to have the ZyWALL check for traffic w...

Page 663: ... a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check for UDP traffic with this destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port T...

Page 664: ...ZyWALL 70 User s Guide 664 Appendix M Firewall Commands ...

Page 665: ...ing of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ and from the DMZ to the WAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate call...

Page 666: ...er dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 1 Between LAN and DMZ 2 Between WAN and DMZ 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and block NetBIOS...

Page 667: ...ser s Guide Appendix N NetBIOS Filter Commands 667 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls ...

Page 668: ...ZyWALL 70 User s Guide 668 Appendix N NetBIOS Filter Commands ...

Page 669: ...t name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the key size It has to be an integer from 512 to 2048 The default is 1024 bits create scep_enroll name CA addr CA cert auth key subj...

Page 670: ...ive name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to copy and paste name specifies the name of the certificate to be exported view name View the information of the specified local host certificate name specifies the name of the certificate to be viewed...

Page 671: ...rusted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies the new name as which the certificate is to be saved crl_issuer name on off Specify whether or not the specified CA issues CRL name specifies the name of the CA certificate on off specifies whether or ...

Page 672: ...rd if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory service name specifies the name of the directory server to be viewed edit name addr port login pswd Edit the specified directory service name specifies the name of the directory server to be edited addr p...

Page 673: ...on on the command structure Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Table 246 Brute Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off ...

Page 674: ...ZyWALL 70 User s Guide 674 Appendix P Brute Force Password Guessing Protection ...

Page 675: ...ALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the firmware The...

Page 676: ...x y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATDOx y download fr...

Page 677: ...ssful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Conn...

Page 678: ...the max number of session per host This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host setNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings readNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings WAN connection is down A WAN connection is...

Page 679: ...e maximum sessions per host Firewall allowed a packet that matched a NAT session TCP UDP A packet from the WAN TCP or UDP matched a cone NAT session and the device forwarded it to the LAN Table 250 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack the TCP incomplete count is per destination host Ex...

Page 680: ...d set d rule d Attempted access matched a configured filter rule denoted by its set and rule number and was blocked or forwarded according to the rule Table 252 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy ICMP Packet Direction type d code d ICMP access matched the default policy and was blocked or forwarded according to the user s setting Firewall rule NOT match ICMP Packet Direction...

Page 681: ...The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp IPCP Starting The PPP connection s Internet Protocol Control Protocol stage is starting ppp IPCP Opening The PPP connection s Internet Protocol Control Protocol...

Page 682: ...er is not on according to the time schedule or you didn t select the Block Matched Web Site checkbox the system forwards the web content Waiting content filter server timeout The external content filtering server did not respond within the timeout period DNS resolving failed The ZyWALL cannot get the IP address of the external content filtering via DNS query Creating socket failed The ZyWALL canno...

Page 683: ...ity ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP type d code d The firewall detected an ICMP traceroute attack ports scan UDP The firewall detected a UDP port scan attack Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack I...

Page 684: ...RIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device WLAN MAC Filter Success The MAC filter allowed a wireless station to connect to the device WLAN STA Association A wireless station associated with the device WLAN STA Association List Full The maximum number of associated wireless clients has been reached WLAN STA Association Again The SSID and tim...

Page 685: ... failed The connection failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer Failed to send IKE Packet An Ethernet error stopped the router from sending IKE packets Too many errors Deleting SA An SA was deleted because there were too many errors P...

Page 686: ...s Peer ID Type is different from the peer IPSec router s Local ID Type Phase 1 ID content mismatch This router s Peer ID Content is different from the peer IPSec router s Local ID Content No known phase 1 ID type found The router could not find a known phase 1 ID in the connection attempt ID type mismatch Local Peer Local ID type Peer ID type The phase 1 ID types do not match ID content mismatch T...

Page 687: ...The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase 2 perfect forward secret pfs setting did not match between the router and the peer Rule d Phase 1 ID mismatch The listed rule s IKE phase 1 ID did not match between the router and the peer Rule d Phase 1 hash mismatch The listed rule s IKE phase 1 hash d...

Page 688: ...rt subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject name The router received a user certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd CRL size issuer name The router re...

Page 689: ...1 Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certifica...

Page 690: ...n expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which there was no authentication response User logout because of idle timeout expired The router logged out a user whose idle timeout period expired User logout because of user request A user logged out...

Page 691: ...yWALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL D to D ZW DMZ to DMZ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL Table 266 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped ...

Page 692: ...src srcIP srcPort dst dstIP dstPort msg msg note note devID mac address cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the Log Settings screen The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this ap...

Page 693: ... record 2 Use sys logs category to view a list of the log categories Figure 431 Displaying Log Categories Example 3 Use sys logs category followed by a log category to display the parameters that are available for the category Table 268 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_...

Page 694: ...vailable with every category 5 Use the sys logs save command to store the settings in the ZyWALL you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyWALL s log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an ind...

Page 695: ... ACCESS BLOCK Firewall default policy IGMP W to W ZW 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W ZW 2 06 08 2004 05 58 20 172 21 0 2 239 255 255 254 ACCESS BLOCK Firewall default policy IGMP W to W ZW 3 06 08 2004 05 58 20 172 21 3 191 224 0 1 22 ACCESS BLOCK Firewall default policy IGMP W to W ZW 4 06 08 2004 05 58 20 172 21 0 254 224 0 0 1 A...

Page 696: ...ZyWALL 70 User s Guide 696 Appendix R Log Descriptions ...

Page 697: ...Auto negotiating 10 100 Mbps Ethernet DMZ 49 auto negotiation 49 50 AWG 5 B Backup 410 524 Backup WAN 50 Bandwidth Borrowing 329 Bandwidth Class 325 Bandwidth Filter 325 336 Bandwidth Management 51 325 Bandwidth Management Statistics 337 Bandwidth Manager Class Configuration 334 Bandwidth Manager Class Setup 332 Bandwidth Manager Monitor 338 Bandwidth Manager Summary 331 Basement 5 Blocking Time 1...

Page 698: ...ting 190 Customer Support 7 D Dampness 5 Danger 5 Data Encryption Standard DES 231 DDNS Configuration 425 DDNS Type 427 Dealer 4 Default 412 Defective 6 Denial of Service 168 169 198 493 Denial of Services Thresholds 199 Denmark Contact Information 7 DES 231 Destination Address 181 DHCP 71 93 96 106 350 397 443 DHCP Dynamic Host Configuration Protocol 55 DHCP Ethernet Setup 442 DHCP Table 71 Diagn...

Page 699: ...d Contact Information 7 Firewall 52 Access Methods 179 Activating 493 Address Type 189 Alerts 183 Connection Direction 181 Creating Editing Rules 187 Custom Ports See Custom Ports 190 Firewall Vs Filters 177 Guidelines For Enhancing Security 177 Introduction 168 Policies 179 Rule Logic 180 Services 194 SMT Menus 493 Types 167 When To Use 178 Firewall Threshold 199 Firmware File Maintenance 523 Fit...

Page 700: ...y IPSec 229 Introduction to Filters 495 IP Address 71 94 96 106 141 142 307 309 310 443 445 450 467 480 Remote 436 IP Address Assignment 450 467 IP Addressing 595 IP Alias 54 445 IP Alias Setup 444 IP Classes 595 IP Multicast 54 Internet Group Management Protocol IGMP 54 IP Policy Routing 54 IP Pool 97 443 IP Pool Setup 93 IP Ports 169 IP Routing Policy IPPR 319 Benefits 319 Cost Savings 319 Crite...

Page 701: ... IP Addr 466 My WAN Address 436 myZyXEL com 217 device registration 220 N Nailed Up Connection 465 Nailed up Connection 464 Nailed Up Connections 466 NAT 94 307 308 436 437 467 468 506 Application 299 Applying NAT in the SMT Menus 473 Configuring 475 Definitions 297 Examples 483 How NAT Works 298 Mapping Types 300 NAT Unfriendly Application Programs 489 Ordering Rules 478 Port Restricted Cone 300 ...

Page 702: ...ucts 6 Proof of Purchase 6 Proper Operating Condition 6 Proportional Bandwidth Allocation 326 Protocol Filters 445 Incoming 445 Outgoing 445 Protocol Port 393 394 Purchase Proof of 6 Purchaser 6 Q Qualified Service Personnel 5 Quality of Service 319 Quick Start Guide 59 R Radio Communications 4 Radio Frequency Energy 4 Radio Interference 4 Radio Reception 4 Radio Technician 4 RADIUS 52 614 Shared ...

Page 703: ...chedules 465 466 Secure FTP Using SSH Example 366 Secure Telnet Using SSH Example 365 Security Parameters 620 Security Ramifications 181 Separation Between Equipment and Receiver 4 Serial Number 7 218 Server 301 401 402 450 463 475 477 480 481 483 485 486 545 Server IP 463 Service 5 6 181 Service Name 465 Service Personnel 5 Service Set 116 Service Type 190 450 462 Services 307 Session Initiation ...

Page 704: ... TCP IP filter rule 500 Teardrop 170 Telecommunication Line Cord 5 Telephone 7 Television Interference 4 Television Reception 4 Telnet 367 Telnet Configuration 367 Temporal Key Integrity Protocol TKIP 619 Terminal Emulation 415 TFTP 527 File Upload 534 GUI based Clients 528 TFTP and FTP over WAN 526 TFTP Restrictions 353 526 549 Three Way Handshake 170 Threshold Values 198 Thunderstorm 5 Time and ...

Page 705: ...67 Web Configurator 59 62 168 177 181 494 Web Site 7 Web Site Hits 393 394 WEP Encryption 53 118 123 126 WEP encryption 617 Wet Basement 5 Wireless LAN 50 Wireless LAN MAC Address Filtering 53 Wireless LAN Setup 445 Wizard Setup 75 WLAN Interference 611 Security parameters 620 Workmanship 6 Worldwide Contact Information 7 Written Permission 3 WWW 355 www dyndns org 427 X Xmodem File Upload 536 XMO...