ZyXEL Communications ZyXEL ZyWALL 35, User Manual

Page 1: ...ZyWALL 35 Internet Security Appliance User s Guide Version 3 64 3 2005 ...

Page 2: ......

Page 3: ...XEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to ...

Page 4: ...o communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet o...

Page 5: ...ply is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will step on them or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no ele...

Page 6: ...y an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of...

Page 7: ...j 5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL CommunicationsOy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel fr 33 0 4 72 52 97 97 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France 33 0 4 72 52 19 20 GERMANY support zyxel de 49 2405 6909 0 www zyxel de ZyXEL Deutsch...

Page 8: ...XEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 8702 909091 ftp zyxel co uk a is the prefix number you enter to make an international telephone call METHOD LOCATION SUPPORT E MAIL TELEPHONEA WEB SITE REGULAR MAIL SALES E MAIL FAX FTP SITE ...

Page 9: ...L 54 1 3 1 Secure Broadband Internet Access via Cable or DSL Modem 54 1 3 2 VPN Application 54 1 3 3 Front Panel LEDs 55 Chapter 2 Introducing the Web Configurator 57 2 1 Web Configurator Overview 57 2 2 Accessing the ZyWALL Web Configurator 57 2 3 Resetting the ZyWALL 58 2 3 1 Procedure To Use The Reset Button 59 2 3 2 Uploading a Configuration File Via Console Port 59 2 4 Navigating the ZyWALL W...

Page 10: ... 5 VPN Wizard Setup Complete 87 Chapter 4 LAN Screens 89 4 1 LAN Overview 89 4 2 DHCP Setup 89 4 2 1 IP Pool Setup 89 4 3 LAN TCP IP 89 4 3 1 Factory LAN Defaults 89 4 3 2 IP Address and Subnet Mask 90 4 3 3 RIP Setup 90 4 3 4 Multicast 91 4 4 DNS Servers 91 4 5 Configuring LAN 91 4 6 Configuring Static DHCP 93 4 7 Configuring IP Alias 94 4 8 Configuring Port Roles 96 Chapter 5 Bridge Screens 99 5...

Page 11: ...0 6 7 1 User Authentication 110 6 7 2 Encryption 111 6 8 WPA PSK Application Example 111 6 9 WPA with RADIUS Application Example 112 6 10 Wireless Client WPA Supplicants 113 6 11 Configuring Wireless LAN 113 6 11 1 Static WEP 115 6 11 2 WPA PSK 116 6 11 3 WPA 118 6 11 4 802 1x Dynamic WEP 119 6 11 5 802 1x Static WEP 120 6 11 6 802 1x No WEP 121 6 11 7 No Access 802 1x Static WEP 122 6 11 8 No Acc...

Page 12: ...g Dial Backup 149 7 12 Advanced Modem Setup 153 7 12 1 AT Command Strings 153 7 12 2 DTR Signal 153 7 12 3 Response Strings 153 7 13 Configuring Advanced Modem Setup 153 Chapter 8 DMZ Screens 157 8 1 DMZ Overview 157 8 2 Configuring DMZ 157 8 3 Configuring IP Alias 159 8 4 DMZ Public IP Address Example 161 8 5 DMZ Private and Public IP Address Example 162 8 6 Configuring Port Roles 162 Chapter 9 F...

Page 13: ... 177 10 1 Access Methods 177 10 2 Firewall Policies Overview 177 10 3 Rule Logic Overview 178 10 3 1 Rule Checklist 178 10 3 2 Security Ramifications 179 10 3 3 Key Fields For Configuring Rules 179 10 3 3 1 Action 179 10 3 3 2 Service 179 10 3 3 3 Source Address 179 10 3 3 4 Destination Address 179 10 4 Connection Direction Examples 179 10 4 1 LAN To WAN Rules 180 10 4 2 WAN To LAN Rules 180 10 5 ...

Page 14: ...uction to myZyXEL com 215 12 1 1 A Note on myZyXEL com Numbers 216 12 2 myZyXEL com Account Registration 216 12 3 Registering Your ZyXEL Device 218 12 4 Content Filtering Registration 221 12 5 Checking Content Filtering Activation 223 12 6 Updating Product Registration Information 224 12 7 Viewing Content Filtering Reports 224 12 8 Configuration File 226 Chapter 13 Introduction to IPSec 227 13 1 V...

Page 15: ... 8 1 Negotiation Mode 239 14 8 2 Pre Shared Key 239 14 8 3 Diffie Hellman DH Key Groups 240 14 8 4 Perfect Forward Secrecy PFS 240 14 9 X Auth Extended Authentication 240 14 9 1 Authentication Server 240 14 10 Icons Key 241 14 11 IPSec Fields Summary 241 14 12 IKE VPN Rule Summary Screen 242 14 12 1 Configuring an IKE Gateway Policy 243 14 12 2 Configuring an IKE Network Policy 249 14 12 2 1 Assoc...

Page 16: ... Certificate Fingerprints 283 15 14 Importing a Trusted Remote Host s Certificate 284 15 15 Trusted Remote Host Certificate Details 285 15 16 Directory Servers 288 15 17 Add or Edit a Directory Server 289 Chapter 16 Authentication Server 291 16 1 Authentication Server Overview 291 16 2 Local User Database 291 16 3 RADIUS 291 16 4 Configuring Local User Database 291 16 5 Configuring RADIUS 293 Chap...

Page 17: ...P Routing Policy Setup 318 19 5 Configuring the IP Policy Route Entry 319 Chapter 20 Bandwidth Management 323 20 1 Bandwidth Management Overview 323 20 2 Bandwidth Classes and Filters 323 20 3 Proportional Bandwidth Allocation 324 20 4 Application based Bandwidth Management 324 20 5 Subnet based Bandwidth Management 324 20 6 Application and Subnet based Bandwidth Management 324 20 7 Scheduler 325 ...

Page 18: ... 342 21 6 2 Inserting a Name Server record 343 21 7 DNS Cache 345 21 8 Configure DNS Cache 345 21 9 Configuring DNS LAN 346 21 10 Dynamic DNS 348 21 10 1 DYNDNS Wildcard 348 21 10 2 High Availability 348 21 11 Configuring Dynamic DNS 348 Chapter 22 Remote Management 351 22 1 Remote Management Overview 351 22 1 1 Remote Management Limitations 351 22 1 2 Remote Management and NAT 352 22 1 3 System T...

Page 19: ...y Overview 375 23 1 1 How Do I Know If I m Using UPnP 375 23 1 2 NAT Traversal 375 23 1 3 Cautions with UPnP 375 23 2 UPnP and ZyXEL 376 23 3 Configuring UPnP 376 23 4 Displaying UPnP Port Mapping 377 23 5 Installing UPnP in Windows Example 378 23 5 1 Installing UPnP in Windows Me 379 23 5 2 Installing UPnP in Windows XP 380 23 6 Using UPnP in Windows XP Example 380 23 6 1 Auto discover Your UPnP ...

Page 20: ...Backup Configuration 408 25 10 2 Restore Configuration 408 25 10 3 Back to Factory Defaults 410 25 11 Restart Screen 410 Chapter 26 Introducing the SMT 413 26 1 Introduction to the SMT 413 26 2 Accessing the SMT via the Console Port 413 26 2 1 Initial Screen 413 26 2 2 Entering the Password 414 26 3 Navigating the SMT Interface 414 26 3 1 Main Menu 415 26 3 2 SMT Menus Overview 417 26 4 Changing t...

Page 21: ...P and DHCP Ethernet Setup Menu 440 29 4 1 IP Alias Setup 442 29 5 Wireless LAN Setup 443 29 5 1 MAC Address Filter Setup 445 Chapter 30 Internet Access 447 30 1 Introduction to Internet Access Setup 447 30 2 Ethernet Encapsulation 447 30 3 Configuring the PPTP Client 449 30 4 Configuring the PPPoE Client 449 30 5 Basic Setup Complete 450 Chapter 31 DMZ Setup 451 31 1 Configuring DMZ Setup 451 31 2...

Page 22: ...T 471 35 1 1 SUA Single User Account Versus NAT 471 35 1 2 Applying NAT 471 35 2 NAT Setup 473 35 2 1 Address Mapping Sets 474 35 2 1 1 SUA Address Mapping Set 474 35 2 1 2 User Defined Address Mapping Sets 475 35 2 1 3 Ordering Your Rules 476 35 3 Configuring a Server behind NAT 478 35 4 General NAT Examples 481 35 4 1 Internet Access Only 481 35 4 2 Example 2 Internet Access with an Default Serv...

Page 23: ... 38 SNMP Configuration 507 38 1 SNMP Configuration 507 38 2 SNMP Traps 508 Chapter 39 System Information Diagnosis 509 39 1 Introduction to System Status 509 39 2 System Status 509 39 3 System Information and Console Port Speed 511 39 3 1 System Information 511 39 3 2 Console Port Speed 512 39 4 Log and Trace 513 39 4 1 Viewing Error Log 513 39 4 2 Syslog Logging 514 39 4 3 Call Triggering Packet ...

Page 24: ...0 5 5 TFTP File Upload 532 40 5 6 TFTP Upload Command Example 533 40 5 7 Uploading Via Console Port 533 40 5 8 Uploading Firmware File Via Console Port 533 40 5 9 Example Xmodem Firmware Upload Using HyperTerminal 534 40 5 10 Uploading Configuration File Via Console Port 534 40 5 11 Example Xmodem Configuration Upload Using HyperTerminal 535 Chapter 41 System Maintenance Menus 8 to 10 537 41 1 Com...

Page 25: ...e 562 45 5 Problems with Internet Access 563 45 6 Problems with Remote Management 563 45 7 Problems Accessing the ZyWALL 563 45 7 1 Pop up Windows JavaScripts and Java Permissions 564 45 7 1 1 Internet Explorer Pop up Blockers 565 45 7 1 2 JavaScripts 568 45 7 1 3 Java Permissions 570 Appendix A Product Specifications 573 Appendix B Setting up Your Computer s IP Address 581 Appendix C IP Subnettin...

Page 26: ...pendix K Command Interpreter 655 Appendix L Firewall Commands 657 Appendix M NetBIOS Filter Commands 663 Appendix N Certificates Commands 667 Appendix O Brute Force Password Guessing Protection 671 Appendix P Boot Commands 673 Appendix Q Log Descriptions 675 Index 695 ...

Page 27: ...ure 15 ISP Parameters PPTP Encapsulation 77 Figure 16 Internet Access Wizard Setup Complete 78 Figure 17 VPN Wizard Gateway Setting 79 Figure 18 VPN Wizard Network Setting 81 Figure 19 VPN Wizard IKE Tunnel Setting 82 Figure 20 VPN Wizard IPSec Setting 84 Figure 21 VPN Wizard VPN Status 85 Figure 22 VPN Wizard Setup Complete 87 Figure 23 LAN 92 Figure 24 Static DHCP 94 Figure 25 Physical Network P...

Page 28: ...ure 54 Traffic Redirect WAN Setup 148 Figure 55 Traffic Redirect LAN Setup 148 Figure 56 Traffic Redirect 149 Figure 57 Dial Backup Setup 150 Figure 58 Advanced Setup 154 Figure 59 DMZ 158 Figure 60 IP Alias 160 Figure 61 DMZ Public Address Example 161 Figure 62 DMZ Private and Public Address Example 162 Figure 63 Port Roles 163 Figure 64 Port Roles Change Complete 163 Figure 65 ZyWALL Firewall Ap...

Page 29: ...y Product 221 Figure 100 myZyXEL com Service Management 222 Figure 101 Service Registration 222 Figure 102 Service Registration Successful 223 Figure 103 Service Management Service Registered 223 Figure 104 Cerberian Login Screen 225 Figure 105 Content Filtering Reports Main Screen 225 Figure 106 Global Report Screen Example 226 Figure 107 Requested URLs Example 226 Figure 108 Encryption and Decry...

Page 30: ...igure 142 How NAT Works 296 Figure 143 NAT Application With IP Alias 297 Figure 144 Port Restricted Cone NAT Example 298 Figure 145 NAT Overview 300 Figure 146 Address Mapping 302 Figure 147 Address Mapping Edit 303 Figure 148 Multiple Servers Behind NAT Example 306 Figure 149 Port Translation Example 307 Figure 150 Port Forwarding 308 Figure 151 Trigger Port Forwarding Process Example 309 Figure ...

Page 31: ... Works 361 Figure 183 SSH 362 Figure 184 SSH Example 1 Store Host Key 363 Figure 185 SSH Example 2 Test 364 Figure 186 SSH Example 2 Log in 364 Figure 187 Secure FTP Firmware Upload Example 365 Figure 188 Telnet Configuration on a TCP IP Network 365 Figure 189 Telnet 366 Figure 190 FTP 367 Figure 191 SNMP Management Model 368 Figure 192 SNMP 370 Figure 193 DNS 371 Figure 194 CNM 372 Figure 195 Con...

Page 32: ...enu 1 1 1 DDNS Host Summary 424 Figure 230 Menu 1 1 1 DDNS Edit Host 425 Figure 231 MAC Address Cloning in WAN Setup 427 Figure 232 Menu 2 Dial Backup Setup 429 Figure 233 Menu 2 1 Advanced WAN Setup 430 Figure 234 Menu 11 3 Remote Node Profile Backup ISP 431 Figure 235 Menu 11 3 1 Remote Node PPP Options 433 Figure 236 Menu 11 3 2 Remote Node Network Layer Options 434 Figure 237 Menu 11 3 3 Remot...

Page 33: ...o the Remote Node 472 Figure 269 Menu 15 NAT Setup 473 Figure 270 Menu 15 1 Address Mapping Sets 474 Figure 271 Menu 15 1 255 SUA Address Mapping Rules 474 Figure 272 Menu 15 1 1 First Set 476 Figure 273 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set 477 Figure 274 Menu 15 2 NAT Server Sets 478 Figure 275 Menu 15 2 1 NAT Server Setup 479 Figure 276 Menu 15 2 1 2 NAT Server Configura...

Page 34: ...Figure 314 Menu 24 3 System Maintenance Log and Trace 513 Figure 315 Examples of Error and Information Messages 514 Figure 316 Menu 24 3 2 System Maintenance Syslog Logging 514 Figure 317 Call Triggering Packet Example 517 Figure 318 Menu 24 4 System Maintenance Diagnostic 518 Figure 319 WAN LAN DHCP 518 Figure 320 Telnet into Menu 24 5 523 Figure 321 FTP Session Example 524 Figure 322 System Main...

Page 35: ...chedule Set s to a Remote Node PPTP 560 Figure 357 Pop up Blocker 565 Figure 358 Internet Options 566 Figure 359 Internet Options 567 Figure 360 Pop up Blocker Settings 568 Figure 361 Internet Options 569 Figure 362 Security Settings Java Scripting 570 Figure 363 Security Settings Java 571 Figure 364 Java Sun 572 Figure 1 WLAN Card Installation 577 Figure 2 Console Dial Backup Port Pin Layout 577 ...

Page 36: ...P User Agent Server 626 Figure 35 SIP Proxy Server 627 Figure 36 SIP Redirect Server 628 Figure 37 ZyWALL SIP ALG 629 Figure 38 VPN Rules 632 Figure 39 Headquarters Gateway Policy Edit 633 Figure 40 Branch Office Gateway Policy Edit 634 Figure 41 Headquarters VPN Rule 635 Figure 42 Branch Office VPN Rule 635 Figure 43 Headquarters Network Policy Edit 636 Figure 44 Branch Office Network Policy Edit...

Page 37: ...nal Certificate Import Wizard 4 651 Figure 64 Personal Certificate Import Wizard 5 652 Figure 65 Personal Certificate Import Wizard 6 652 Figure 66 Access the ZyWALL Via HTTPS 652 Figure 67 SSL Client Authentication 653 Figure 68 ZyWALL Secure Login Screen 653 Figure 69 Option to Enter Debug Mode 673 Figure 70 Boot Module Commands 674 Figure 71 Displaying Log Categories Example 691 Figure 72 Displ...

Page 38: ...ZyWALL 35 User s Guide 36 ...

Page 39: ...rk Setting 81 Table 15 VPN Wizard IKE Tunnel Setting 83 Table 16 VPN Wizard IPSec Setting 84 Table 17 VPN Wizard VPN Status 86 Table 18 LAN 92 Table 19 Static DHCP 94 Table 20 IP Alias 96 Table 21 STP Path Costs 100 Table 22 STP Port States 101 Table 23 Bridge 102 Table 24 Wireless Security Relational Matrix 107 Table 25 Wireless No Security 114 Table 26 Wireless Static WEP 116 Table 27 Wireless W...

Page 40: ... Table 57 Creating Editing A Firewall Rule 187 Table 58 Creating Editing A Custom Service 188 Table 59 Predefined Services 192 Table 60 Anti Probing 195 Table 61 Firewall Threshold 197 Table 62 Content Filter General 200 Table 63 Content Filter Categories 203 Table 64 Content Filter Customization 210 Table 65 Content Filter Cache 213 Table 66 myZyXEL com Numbers 216 Table 67 VPN and NAT 231 Table ...

Page 41: ...Address Mapping Edit 304 Table 102 Services and Port Numbers 305 Table 103 Port Forwarding 308 Table 104 Port Triggering 310 Table 105 IP Static Route 314 Table 106 Edit IP Static Route 315 Table 107 Policy Route Setup 319 Table 108 Edit IP Policy Route 320 Table 109 Application and Subnet based Bandwidth Management Example 324 Table 110 Maximize Bandwidth Usage Example 326 Table 111 Priority base...

Page 42: ...Default Time Servers 397 Table 147 Time and Date 399 Table 148 MAC address to port Mapping Table 402 Table 149 Device Mode Router Mode 403 Table 150 Device Mode Bridge Mode 404 Table 151 Firmware Upload 406 Table 152 Restore Configuration 408 Table 153 Main Menu Commands 414 Table 154 Main Menu Summary 416 Table 155 SMT Menus Overview 417 Table 156 Menu 1 General Setup Router Mode 421 Table 157 Me...

Page 43: ... 1 Edit IP Static Route 470 Table 185 Applying NAT in Menus 4 11 1 2 473 Table 186 SUA Address Mapping Rules 475 Table 187 Fields in Menu 15 1 1 476 Table 188 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set 477 Table 189 Menu 15 2 1 2 NAT Server Configuration 480 Table 190 Menu 15 3 Trigger Port Setup 490 Table 191 Abbreviations Used in the Filter Rules Summary Menu 497 Table 192 Rul...

Page 44: ...ole Dial Backup Port Pin Assignments 578 Table 7 North American AC Power Adaptor Specifications 578 Table 8 European Union AC Power Adaptor Specifications 579 Table 9 UK AC Power Adaptor Specifications 579 Table 10 Japan AC Power Adaptor Specifications 579 Table 11 Australia and New Zealand AC Power Adaptor Specification 579 Table 12 Classes of IP Addresses 593 Table 13 Allowed IP Address Range By...

Page 45: ...le 39 ICMP Logs 678 Table 40 CDR Logs 679 Table 41 PPP Logs 679 Table 42 UPnP Logs 679 Table 43 Content Filtering Logs 679 Table 44 Attack Logs 680 Table 45 Remote Management Logs 681 Table 46 Wireless Logs 682 Table 47 IPSec Logs 682 Table 48 IKE Logs 683 Table 49 PKI Logs 686 Table 50 Certificate Path Verification Failure Reason Codes 687 Table 51 802 1X Logs 687 Table 52 ACL Setting Notes 688 T...

Page 46: ...ZyWALL 35 User s Guide 44 ...

Page 47: ...configure your ZyWALL Not all features can be configured through all interfaces Related Documentation Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and con...

Page 48: ...he Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in ot...

Page 49: ...ovides bandwidth management NAT port forwarding policy routing DHCP server and many other powerful features The PCMCIA CardBus slot allows you to add a 802 11b g compliant wireless LAN The ZyWALL offers highly secured wireless connectivity to your wired network with IEEE 802 1x WEP data encryption WPA Wi Fi Protected Access and MAC address filtering 1 2 ZyWALL Features The following sections descr...

Page 50: ...ts allow the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention It allows data transfer of either 10 Mbps or 100 Mbps in either half duplex or full duplex mode depending on your Ethernet network The ports are also auto crossover MDI MDI X meaning they automatically adjust to either a crossover or straight through Ethernet cable Dial Backup WAN...

Page 51: ...ng and translating IP addresses embedded in the data stream STP Spanning Tree Protocol RSTP Rapid STP When the ZyWALL is set to bridge mode R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network B...

Page 52: ...wall supports TCP UDP inspection DoS detection and prevention real time alerts reports and logs Content Filtering The ZyWALL can block web features such as ActiveX controls Java applets and cookies as well as disable web proxies The ZyWALL can block or allow access to web sites that you specify The ZyWALL can also block access to web sites containing keywords that you specify You can define time p...

Page 53: ...wed or denied MAC addresses WEP Encryption WEP Wired Equivalent Privacy encrypts data frames before transmitting over the wireless network to help keep network communications private Packet Filtering The packet filtering mechanism blocks unwanted traffic from entering leaving your network Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes PPPoE PPPoE...

Page 54: ...ing IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator Central Network Management Central Network Management CNM allows an enterprise or service provider network administrator to manage your ZyWALL The enterprise or service provider network administrator can configure your ZyWALL per...

Page 55: ...dresses an IP default gateway and DNS servers to all systems that support the DHCP client The ZyWALL can also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server to the clients Full Network Management The embedded web configurator is an all platform web based utility that allows you to easily access the ZyWALL s management settings and c...

Page 56: ...cess via Cable or DSL Modem You can connect a cable modem DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem The ZyWALL guarantees not only high speed Internet access but secure internal network protection and traffic management as well Figure 1 Secure Internet Access via Cable DSL or Wireless Modem 1 3 2 VPN Application ZyWALL VPN is an id...

Page 57: ...e 2 VPN Application 1 3 3 Front Panel LEDs Figure 3 ZyWALL Front Panel The following table describes the LEDs Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is turned on Red On The power to the ZyWALL is too low ...

Page 58: ...WAN 10 100 Off The WAN connection is not ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The 100M WAN is sending or receiving packets LAN DMZ 10 100 Off The LAN DMZ is not connected Green On The ZyWALL has a successful 10Mbps Ethernet connection ...

Page 59: ...ndows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troubleshooting chapter if you want to make sure these functions are allowed in Internet Explorer 2 2 Accessing the ZyWALL Web Configurator 1 Make sure your ZyWALL hardware is properly connected and prepare your computer computer network to connect to the ZyWALL refer to the Quick Start Guide 2 La...

Page 60: ... out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyWALL if this happens to you 2 3 Resetting the ZyWALL If you forget your password or cannot access the web configurator you will need to reload the factory default configuration file or use the RESET button on the back of the ZyWALL Uploading this configuration file repl...

Page 61: ...it for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site unzip it and save it in a folder 2 Turn off the ZyWALL begin a terminal emulation software session and turn on the ZyWALL again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode 3 E...

Page 62: ...lick the icon located in the top right corner of most screens to view online help The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen 2 4 1 Router Mode The following screen displays when the ZyWALL is set to router mode The ZyWALL is set to router mode by default Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL featur...

Page 63: ... s firewall is activated System Time This field displays your ZyWALL s present date and time Memory The first number shows how many kilobytes of the heap memory the ZyWALL is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewall The second number shows the ZyWALL s total heap memory ...

Page 64: ...it displays the port speed and duplex setting if you re using Ethernet encapsulation and Down line is down or not connected Idle line ppp idle Dial starting to trigger a call or Drop dropping a call if you re using PPPoE encapsulation For the WLAN port it displays Active when WLAN is enabled or Inactive when WLAN is disabled IP Address This shows the port s IP address Subnet Mask This shows the po...

Page 65: ...is the IP subnet mask of the ZyWALL Gateway IP Address This is the gateway IP address Rapid Spanning Tree Protocol This shows whether RSTP Rapid Spanning Tree Protocol is active or not The following labels or values relative to RSTP do not apply when RSTP is disabled Bridge Priority This is the bridge priority of the ZyWALL Bridge Hello Time This is the interval of BPDUs Bridge Protocol Data Units...

Page 66: ...Active This shows whether or not RSTP is active on the corresponding port RSTP Priority This is the RSTP priority of the corresponding port RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port in...

Page 67: ...e LAN DMZ port roles WIRELESS LAN Wireless Use this screen to configure the wireless LAN settings and WLAN authentication security settings MAC Filter Use this screen to change MAC filter settings on the ZyWALL WAN General This screen allows you to configure load balancing route priority and traffic redirect properties WAN1 Use this screen to configure ZyWALL WAN1 port for internet access WAN2 Use...

Page 68: ...ed Remote Hosts Use this screen to view and manage the certificates belonging to the trusted remote hosts Directory Servers Use this screen to view and manage the list of the directory servers AUTH SERVER Local User Database Use this screen to configure the local user account s on the ZyWALL RADIUS Configure this screen to use an external server to authenticate wireless and or VPN users NAT NAT Ov...

Page 69: ...hrough which interface s and from which IP address es users can send DNS queries to the ZyWALL CNM Use this screen to configure your ZyWALL to be managed by the Vantage CNM server UPnP UPnP Use this screen to enable UPnP on the ZyWALL Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL LOGS View Log Use this screen to view the logs for the categories that you s...

Page 70: ...ulation and Down line is down Idle line ppp idle Dial starting to trigger a call or Drop dropping a call if you re using PPPoE encapsulation TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Tx B s This displays the transmission speed in bytes per second on this port Rx B s This displays the reception speed in bytes per second ...

Page 71: ...o router mode Read only information here relates to your DHCP status The DHCP table shows current DHCP client information including IP Address Host Name and MAC Address of all network clients using the ZyWALL s DHCP server Table 7 Home Show Statistics Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen Port Select the check box es to display the throughput statisti...

Page 72: ... Host Name This field displays the computer host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory This address follows an industry standard that ensures no other adapter has a similar a...

Page 73: ...tion name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Poll Interval s Enter the time interval for refreshing statistics in this field Set Interval Click this button to apply the new poll interval you en...

Page 74: ...ZyWALL 35 User s Guide 72 Chapter 2 Introducing the Web Configurator ...

Page 75: ...ternet access wizard screen has three variations depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information 3 2 1 ISP Parameters The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE The wizard screen varies according to the type of encapsulation that yo...

Page 76: ... is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field ...

Page 77: ...existing Microsoft Dial Up Networking experience and requires no new learning or procedures Refer to Appendix D on page 601 for more information on PPPoE Figure 14 ISP Parameters PPPoE Encapsulation First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS ...

Page 78: ... User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds ...

Page 79: ...User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses be...

Page 80: ... depends on the requirements of your xDSL modem WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field First DNS Server Second DNS Server Ente...

Page 81: ...tion Click VPN Wizard in the HOME screen to open the screen as shown and have the quick and initial VPN configuration Figure 17 VPN Wizard Gateway Setting The following table describes the labels in this screen Table 13 VPN Wizard Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy You may use any character including spaces bu...

Page 82: ...s the IP address static or dynamic of the primary highest priority WAN port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN port If both WAN connections go down the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP a...

Page 83: ...racter including spaces but the ZyWALL drops trailing spaces Network Policy Setting Local Network Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Select Single for a single IP address Select Range IP for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask Starting IP Address When the L...

Page 84: ...et mask Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Network field is configured to Range IP enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Remote Network field is configured to Subnet enter a static IP address on...

Page 85: ...hase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field The minimum value is 180 seconds A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentic...

Page 86: ...it key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are ...

Page 87: ...Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Back Click Back to return to the previous screen Next Click Next to contin...

Page 88: ... Remote Network Starting IP Address This is a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the remote network is configured for a single IP address this field is N A When the remote network is configured for a range IP address this is the end static IP address in a range of computers on the network behind the remote IPSec router When the remote...

Page 89: ...S 3DES AES or NULL Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data SA Life Time Seconds This is the length of time before an IKE SA automatically renegotiates Perfect Forward Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup Otherwise DH1 or DH2 are selected to enable PFS Bac...

Page 90: ...ZyWALL 35 User s Guide 88 Chapter 3 Wizard Setup ...

Page 91: ...it When configured as a server the ZyWALL provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else the computer must be manually configured 4 2 1 IP Pool Setup The ZyWALL is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addr...

Page 92: ...254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyWALL but make sure that no other device on your netwo...

Page 93: ...till in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for ...

Page 94: ... set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends...

Page 95: ...guous addresses in the IP address pool Pool Size This field specifies the size or count of the IP address pool DHCP Server Address If Relay is selected in the DHCP field above then type the IP address of the actual remote DHCP server here Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with...

Page 96: ...into different logical networks over the same Ethernet interface The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network Table 19 Static DHCP LABEL DESCRIPTION This is the index number of the static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address Type ...

Page 97: ...AN s logical networks subnets Note Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 25 Physical Network Partitioned Logical Networks To change your ZyWALL s IP alias settings click LAN then the IP Alias tab The screen appears as shown Figure 26 IP Alias ...

Page 98: ...uted by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only i...

Page 99: ... Screens 97 Figure 27 Port Roles After you change the LAN DMZ port roles and click Apply please wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 28 Port Roles Change Complete ...

Page 100: ...ZyWALL 35 User s Guide 98 Chapter 4 LAN Screens ...

Page 101: ...ample shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 29 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of t...

Page 102: ...ort on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 5 2 3 How STP Works After a bridge determines the lowest cost spanning tree with...

Page 103: ... A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops 5 3 Configuring Bridge Select Bridge and click Apply in the MAINTENANCE Device Mode screen to have the ZyWALL function as a bridge To change your ZyWALL s bridge settings click BRIDGE The screen appears as shown Table 22 STP Port States PORT STATE DESCRIPTION Disabled STP is disa...

Page 104: ...IP Address Enter the gateway IP address First Second Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for content filte...

Page 105: ...in seconds that the root bridge waits before sending a hello packet Bridge Max Age Enter an interval between 6 and 40 in seconds that a bridge waits to get a Hello BPDU from the root bridge Forward Delay Enter the length of time between 4 and 30 in seconds that a bridge remains in the listening and learning port states The default is 15 seconds Bridge Port This is the bridge port type Port types a...

Page 106: ...ZyWALL 35 User s Guide 104 Chapter 5 Bridge Screens ...

Page 107: ...computer with an IEEE 802 11b wireless LAN card A computer equipped with a web browser with JavaScript enabled and or Telnet A wireless station must be running IEEE 802 1x compliant software Currently this is offered in Windows XP An optional network RADIUS server for remote user authentication and accounting 6 2 Wireless Security Wireless security is vital to your network to protect wireless comm...

Page 108: ... you don t have WPA aware wireless clients then use WEP key encrypting A higher bit key offers better security at a throughput trade off You can use Passphrase to automatically generate 64 bit or 128 bit WEP keys or manually enter 64 bit 128 bit or 256 bit WEP keys 6 2 2 Authentication Use a RADIUS server with WPA or IEEE 802 1x key management protocol You can also configure IEEE 802 1x to use the...

Page 109: ... see what other security parameters you should configure for each Authentication Method key management protocol type You enter manual keys by first selecting 64 bit WEP or 128 bit WEP from the WEP Encryption field and then typing the keys in ASCII or hexadecimal format in the key text boxes MAC address filters are not dependent on how you configure these security features Table 24 Wireless Securit...

Page 110: ...L authenticate up to 32 users or an external RADIUS server for an unlimited number of users 6 5 1 Introduction to RADIUS RADIUS is based on a client sever model that supports authentication and accounting where access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keep...

Page 111: ...rypted to protect the network from unauthorized access 6 5 2 EAP Authentication Overview EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perfo...

Page 112: ...UTH SERVER RADIUS screen see Section 16 5 on page 293 Ensure that the wireless station s EAP type is configured to one of the following EAP TLS EAP TTLS PEAP Note EAP MD5 cannot be used with Dynamic WEP Key Exchange 6 7 Introduction to WPA Wi Fi Protected Access WPA is a subset of the IEEE 802 11i security specification draft Key differences between WPA and WEP are user authentication and improved...

Page 113: ...which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC TKIP makes it much more difficult to decode data on a Wi Fi network than WEP making it difficult for an intru...

Page 114: ...e distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically ge...

Page 115: ...AEGIS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it 6 11 Configuring Wireless LAN Note If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL s ESSID or WEP settings you will lose your wireless connection when you press A...

Page 116: ...WLAN security features each card supports and how to install a WLAN card ESSID Extended Service Set IDentity The ESSID identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same ESSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Hide ESSID Select to hide the ESSID in the o...

Page 117: ...e default value and enter a value between 256 and 2432 Security Choose from one of the security settings listed in the drop down box No Security Static WEP WPA PSK WPA 802 1x Dynamic WEP 802 1x Static WEP 802 1x No WEP No Access 802 1x Static WEP No Access 802 1x No WEP Select No Security to allow wireless stations to communicate with the access points without any data encryption Otherwise select ...

Page 118: ...28 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key There are four data encryption key...

Page 119: ...between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed WPA...

Page 120: ...as priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed Authentication Databases Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server WPA Group ...

Page 121: ...le 29 Wireless 802 1x Dynamic WEP LABEL DESCRIPTION Security Select 802 1x Dynamic WEP from the drop down list ReAuthentication Timer Seconds Specify how often wireless stations have to reenter usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS...

Page 122: ... list of users and passwords Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server Dynamic WEP Key Exchange Select 64 bit WEP or 128 bit WEP to enable data encryption Up to 32 stations can access the ZyWALL when you configure dynamic WEP key exchange Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configur...

Page 123: ...data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations ReAuthenticati on Timer Seconds Specify how often wireless stations have to reenter usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireles...

Page 124: ...er to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before...

Page 125: ...network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key Ther...

Page 126: ...clusive access to specific devices Allow Association or exclude specific devices from accessing the ZyWALL Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC addresses of the devices to configure this screen To chang...

Page 127: ...the filter action for the list of MAC addresses in the MAC address filter table Select Deny to block access to the router MAC addresses not listed will be allowed to access the router Select Allow to permit access to the router MAC addresses not listed will be denied access to the router This is the index number of the MAC address User Name Enter a descriptive name for the MAC address MAC Address ...

Page 128: ...ZyWALL 35 User s Guide 126 Chapter 6 Wireless LAN ...

Page 129: ...et access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address ass...

Page 130: ...ure the WAN port s MAC address by either using the factory default or cloning the MAC address from a computer on your LAN Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different rom file Note ZyXEL recommends you clone the MAC address from a computer on your LAN even if your ISP do...

Page 131: ... the ZyWALL use the other WAN interface for a domain name if the configured WAN interface s connection goes down See Section 21 10 on page 348 for details When configuring a VPN rule you have the option of selecting one of the ZyWALL s domain names in the My Address field 7 3 Load Balancing Introduction On the ZyWALL load balancing is the process of dividing traffic loads between the two WAN inter...

Page 132: ...nd WAN 2 are 512K and 256K respectively Figure 44 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K the ZyWALL calculates the load balancing index as shown in the table below Since WAN 2 has a smaller load balancing index meaning that it is less utilized than WAN 1 the ZyWALL wi...

Page 133: ... for every session s traffic assigned to WAN2 Figure 45 Weighted Round Robin Algorithm Example 7 4 3 Spillover With the spillover load balancing algorithm the ZyWALL sends network traffic to the primary interface until the maximum allowable load is reached then the ZyWALL sends the excess network traffic of new sessions to the secondary WAN interface Configure the Route Priority metrics in the WAN...

Page 134: ...for the ZyWALL s routes to the Internet Each route must have a unique metric 2 The priorities of the WAN port routes must always be higher than the dial backup and traffic redirect route priorities For example lets say that you have the WAN operation mode set to active passive and the WAN 1 route has a metric of 2 the WAN 2 route has a metric of 3 the traffic redirect route has a metric of 14 and ...

Page 135: ...ZyWALL 35 User s Guide Chapter 7 WAN Screens 133 Figure 47 General ...

Page 136: ...fer to Section 7 7 on page 135 for load balancing configuration Route Priority WAN1 WAN2 Traffic Redirect Dial Backup The default WAN connection is 1 as your broadband connection via the WAN port should always be your preferred method of accessing the WAN The ZyWALL switches from WAN port 1 to WAN port 2 if WAN port 1 s connection fails and then back to WAN port 1 when WAN port 1 s connection come...

Page 137: ... Ping this Address and enter a domain name or IP address of a reliable nearby computer for example your ISP s DNS server address to have the ZyWALL ping that address For a domain name use up to 63 alphanumeric characters hyphens periods and the underscore are also allowed without spaces Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that ena...

Page 138: ...sing the average bandwidth in the specified time interval Enter the time interval between 10 and 600 seconds Load Balancing Index es Specify the direction of the traffic utilization you want the ZyWALL to use in calculating the load balancing index Select Outbound Only Inbound Only or Outbound Inbound Interface This field displays the name of the WAN interface WAN1 and WAN2 Available Inbound Bandw...

Page 139: ...e primary and secondary WANs By default WAN1 is the primary WAN and WAN2 is the secondary WAN Table 40 Load Balancing Weighted Round Robin LABEL DESCRIPTION Active Active Mode Select Active Active Mode and set the related fields to enable load balancing on the ZyWALL Load Balancing Algorithm Select a load balancing method to use from the drop down list box Interface This field displays the name of...

Page 140: ...screen shown next is for Ethernet encapsulation Table 41 Load Balancing Spillover LABEL DESCRIPTION Active Active Mode Select Active Active Mode and set the related fields to enable load balancing on the ZyWALL Load Balancing Algorithm Select a load balancing method to use from the drop down list box Time Frame You can set the ZyWALL to get the measured bandwidth using the average bandwidth in the...

Page 141: ...oose the Ethernet option when the WAN port is used as a regular Ethernet Service Type Choose from Standard Telstra RoadRunner Telstra authentication method RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Passw...

Page 142: ...is field if you selected Use Fixed IP Address Gateway IP Address Enter the gateway IP address if your ISP gave you one in this field if you selected Use Fixed IP Address Advanced Setup Enable NAT Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used within one network for example a private IP address used in a local network to a dif...

Page 143: ... will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast V...

Page 144: ... specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the ZyWALL rather than individual computers the computers on the LAN do not need PPPoE software installed since the ZyWALL does that part of the task Furthermore with NAT all of the LANs computers will have access The screen shown next is for PPPoE encapsulation Figure 52 WAN PPPoE Encapsulation ...

Page 145: ...me above Retype to Confirm Type your password again to make sure that you have entered is correctly Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only Nailed Up Select Nailed Up if you ...

Page 146: ... also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establi...

Page 147: ...that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The screen shown next is for PPTP encapsulation Figure 53 WAN PPTP Encapsulation ...

Page 148: ... list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only Nailed up Select Nailed Up if you do not want the connection to time out Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically...

Page 149: ...hines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish m...

Page 150: ...n page 621 when the backup gateway is connected to the LAN or DMZ Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LA...

Page 151: ...Table 45 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation The ZyWALL automatically forwards traffic to this IP address if the ZyWALL s Internet connection terminates Apply Click Apply to save your changes back ...

Page 152: ...ZyWALL 35 User s Guide 150 Chapter 7 WAN Screens Figure 57 Dial Backup Setup ...

Page 153: ... manual of your WAN device connected to your Dial Backup port for specific AT commands Advanced Modem Setup Click Edit to display the Advanced Setup screen and edit the details of your dial backup setup TCP IP Options Get IP Address Automatically from Remote Server Type the login name assigned by your ISP for this remote node Used Fixed IP Address Select this check box if your ISP assigned you a f...

Page 154: ... Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Select IGMP v1 or IGMP v2 IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see ...

Page 155: ... the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH 7 12 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation...

Page 156: ...ime Answer Type the AT Command string to answer a call Drop DTR When Hang Up Select this check box to have the ZyWALL drop the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string This lets the ZyWALL capture the CLID in the AT response string that comes fro...

Page 157: ...rying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Type the number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Type a number of seconds for the ZyWALL to wait between dropping a callback request call and dialing the corresponding callback cal...

Page 158: ...ZyWALL 35 User s Guide 156 Chapter 7 WAN Screens ...

Page 159: ... to the DMZ port It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 8 2 Configuring DMZ The DMZ port and the computers connected to it can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate...

Page 160: ...th In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP ...

Page 161: ...rk layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Windows Networking NetBIOS over TCP IP A...

Page 162: ... subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None...

Page 163: ... the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting ...

Page 164: ...eparate subnets Configure both DMZ and DMZ IP alias to use this kind of network setup You also need to configure NAT for the private DMZ IP addresses Figure 62 DMZ Private and Public Address Example 8 6 Configuring Port Roles To configure a LAN DMZ port as a LAN or DMZ port select its radio button next to LAN or DMZ and click Apply Otherwise click Reset to restore the previous configuration The ra...

Page 165: ... Port Roles The screen appears as shown Figure 63 Port Roles After you change the LAN DMZ port roles and click Apply please wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 64 Port Roles Change Complete ...

Page 166: ...ZyWALL 35 User s Guide 164 Chapter 8 DMZ Screens ...

Page 167: ...wall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 9 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 9 2 1 Packet Filter...

Page 168: ...me proxies support See Section 9 5 on page 171 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 9 3 Introduction to ZyXEL s Firewall The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the web co...

Page 169: ... extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For exam...

Page 170: ...agment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot Weaknesses in the TCP IP sp...

Page 171: ...target system tries to respond to itself A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of ...

Page 172: ...owing ICMP types trigger an alert 9 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 51 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 52 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Page 173: ... allowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 9 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering i...

Page 174: ... information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then the setting in the Firewall Default Rule screen determines the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entr...

Page 175: ...rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test chan...

Page 176: ...situation exists for ICMP except that the ZyWALL is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too littl...

Page 177: ...with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the firewall in a secured locked room 9 7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL s filtering and firewall functions 9 7 1 Packet Filtering The router filters packets as they pass ...

Page 178: ...ork session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 9 7 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better ...

Page 179: ...or firewall CLI commands 10 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyWALL s stateful packet inspection allows packets traveling in the following directions LAN to LAN ZyWALL This allows computers on the LAN to manage the ZyWALL and communicate between...

Page 180: ...ic hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyWALL s default rules 10 3...

Page 181: ...y existing rules Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens 10 3 3 Key Fields For Configuring Rules 10 3 3 1 Action Should the action be to Block or Forward Note Block means the firewall silently discards the packet 10 3 3 2 Service Select the service from the Service scrolling list box...

Page 182: ...d DMZ to DMZ ZyWALL polices apply in the same way to the WAN and DMZ ports 10 4 1 LAN To WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure a LAN to WAN rule you in essence want to limit some or all users from accessing certain services on the WAN See the following figure Figure 70 LAN to WAN Traffic 10 4 2...

Page 183: ... when a rule is matched in the Edit Rule screen see Figure 75 on page 186 Configure the Log Settings screen to have the ZyWALL send an immediate e mail message to you when an event generates an alert Refer to the chapter on logs for details 10 6 Configuring Firewall Click FIREWALL to open the Default Rule screen Enable or activate the firewall by selecting the Enable Firewall check box as seen in ...

Page 184: ...LAN ZyWALL LAN to WAN LAN to DMZ WAN to LAN WAN to WAN ZyWALL WAN to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyWALL or the ZyWALL itself Default Action ...

Page 185: ...N to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyWALL or the ZyWALL itself Action Use the drop down list boxes to select whether to Block silently discard...

Page 186: ...to LAN WAN to DMZ DMZ to DMZ ZyWALL DMZ to LAN or DMZ to WAN for which you want to configure firewall rules Default Policy This field displays the default action and log policy you selected in the Default Rule screen for the packet direction shown in the field above The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction ...

Page 187: ...irewall silently discards the packet Schedule This field tells you whether a schedule is specified Yes or not No Log This field shows you whether a log is created when packets match this rule Enabled or not Disable Alert This field tells you whether this rule generates an alert Yes or not No when the rule is matched Modify Click the edit icon to go to the screen where you can edit the rule Click t...

Page 188: ...ZyWALL 35 User s Guide 186 Chapter 10 Firewall Screens Figure 75 Creating Editing A Firewall Rule ...

Page 189: ...s available Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Custom Service Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custo...

Page 190: ...le Firewall Rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 57 Creating Editing A Firewall Rule LABEL DESCRIPTION Table 58 Creating Editing A Custom Service LABEL DESCRIPTION Service Name Enter a unique ...

Page 191: ... 2 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen 4 Select Any in the Destination Address box and then click Delete 5 Configure the destination address screen as follows and click Add ...

Page 192: ...igure it as follows and click Apply Figure 79 Edit Custom Service Example 7 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom service ...

Page 193: ...ZyWALL 35 User s Guide Chapter 10 Firewall Screens 191 Figure 80 My Service Rule Configuration ...

Page 194: ...defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services may also be configured using the Custom Services function discussed previously Table 59 Predefined Services SERVICE DESCRIPTION AIM New ICQ TCP 5190 AOL s Internet Messenger service used as a listening port ...

Page 195: ...0 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts NetBIOS TCP UDP 137 139 45 NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent fil...

Page 196: ...25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes...

Page 197: ...th incoming LAN and WAN and DMZ Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL will not respond to port request s for unused ports thus leaving the unused ports and the ZyWALL unseen By default this option is not selected and the ZyWALL will reply with ...

Page 198: ...olute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring The ZyWALL measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of existing half open sessions ri...

Page 199: ...nection requests to the host giving the server time to handle the present connections The ZyWALL continues to block all new connection requests until the Blocking Time expires The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click the FIREWALL link and then the Threshold tab to bring up t...

Page 200: ...onnection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the ZyWALL to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions with the number of existing half open sessions drop...

Page 201: ...1 2 Create a Filter List You can select categories such as pornography or racial intolerance to block from a pre defined list 11 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 11 2 General Content...

Page 202: ...estrict a feature When you download a page containing a restricted feature that part of the web page will appear blank or grayed out Block ActiveX ActiveX is a tool for building dynamic and active web pages and distributed object applications When you visit an ActiveX web site ActiveX controls are downloaded to your browser where they remain in case you visit the site again Java Java is a programm...

Page 203: ...hich to send the user when the ZyWALL s content filtering blocks access to a web site Type up to 128 characters The web page that you specify displays in the lower part of the screen The denied access message displays in the top of the screen If you do not specify a redirect URL only the denied access message displays and the lower part of the screen is blank Exempt Computers Enforce content filte...

Page 204: ...ell as view those web site addresses see Section 11 7 on page 213 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 3 If the ZyWALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or categ...

Page 205: ...to find to which category a requested web page belongs The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page Matched Web Pages Select Block to prevent users from accessing web pages that match the categories that you select below When external database content filtering blocks access to a web page it displays the denied access message tha...

Page 206: ...quested web page based on the setting in the Block When Content Filter Server Is Unavailable field Select Categories Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages that contain material of adult nature that...

Page 207: ...n the basis of race religion gender nationality ethnic origin or other characteristics Weapons Selecting this category excludes pages that sell review or describe weapons such as guns knives or martial arts devices or provide information on their use accessories or other modifications It does not include pages that promote collecting weapons or groups that either support or oppose weapons use Abor...

Page 208: ... services such as taxation and emergency services It also includes pages that discuss or explain laws of various governmental entities Military Selecting this category excludes pages that promote or provide information on military branches or armed services Political Activist Groups Selecting this category excludes pages sponsored by or which provide information on political parties special intere...

Page 209: ... that can be classified in other categories such as vehicles or weapons Auctions Selecting this category excludes pages that support the offering and purchasing of goods between individuals This does not include classified advertisements Real Estate Selecting this category excludes pages that provide information on renting buying or selling real estate or properties Society Lifestyle Selecting thi...

Page 210: ...ng this category excludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter currently blocks any given web page Enter a web site URL in the...

Page 211: ...se You can use a trial application or register your iCard s PIN Refer to the web site s on line help for details Note The web site displays a registration successful web page It may take up to another ten minutes for content filtering to be activated See Section 12 7 on page 224 for how to check the content filtering activation You can manage your registration status or view content filtering repo...

Page 212: ...ble Web site customization Select this check box to allow trusted web sites and block forbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the mos...

Page 213: ...ter up to 32 entries Add Forbidden Web Site Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do not include http All subdomains are allowed For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Forbidden Web Sites This list displays the forbidden web sites already added Add Click th...

Page 214: ...hes for keywords within www zyxel com tw 11 6 2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL For example with the URL www zyxel com tw news pressroom php full path URL checking searches for keywords within www zyxel com tw news Use the ip urlfilter customize actionFlags 6 disable enable command to extend or not extend ...

Page 215: ... sites not found in the cache You can also remove individual entries from the cache When you do this the ZyWALL queries the external content filtering database the next time someone tries to access that web site This allows you to check whether a web site s category has been changed Figure 88 Content Filter Cache The following table describes the labels in this screen Table 65 Content Filter Cache...

Page 216: ...heading to sort the entries Point the triangle up to display the blocked URLs before the URLs to which access was allowed Point the triangle down to display the URLs to which access was allowed before the blocked URLs URL This is a web site s address that the ZyWALL previously checked with the external content filtering database Remaining Time hour This is the number of hours left before the URL e...

Page 217: ...ker on the rear side of your device identify it You need to register separately for each device on which you wish to enable content filtering When registering you need to enter a PIN see your iCard Be sure to buy the correct iCard for your device If you wish to try content filtering before buying an iCard then fill in the trial application for a free 30 day trial Content filtering reports are gene...

Page 218: ... user name and password by clicking the hyperlink as shown in the next screen Figure 89 myZyXEL com Login Screen 3 Fill in the required fields and click Submit Table 66 myZyXEL com Numbers TYPES DESCRIPTION Serial Number You need the serial number to register your ZyXEL device Locate the serial number on your ZyXEL device Authentication Code This is the LAN MAC address of your ZyXEL device You nee...

Page 219: ...and Reports 217 Figure 90 myZyXEL com Account Registration 4 A screen appears indicating you have created an account at myZyXEL com Figure 91 Account Registration Successful 5 You will receive a confirmation e mail Click the URL in the e mail to activate your account ...

Page 220: ...count Confirmation E Mail 6 Click Continue to go to the myZyXEL com login screen Figure 93 myZyXEL com Account Activation 12 3 Registering Your ZyXEL Device 1 After you have created a myZyXEL com account log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen ...

Page 221: ... product serial number in the Serial Number field 4 Your device category and model number may automatically display in the Category and Model fields respectively Otherwise select the correct ones from the drop down list boxes 5 Enter the device MAC address in the Authentication Code field 6 Enter a descriptive name in the Friendly Name field for identifying your device 7 Click Register Click here ...

Page 222: ... 96 Add New Product 8 Specify the purchase information and click Continue Figure 97 Product Survey 9 Click Continue again 10After you have registered your ZyXEL device you can view its registration details in the screen shown next Your ZyXEL device MAC address may already be entered here ...

Page 223: ...egister button The following screen opens 2 Enter the user name and password from your myZyXEL com account see Figure 89 on page 216 3 After you register your ZyXEL device click My Product in the navigation panel 4 Click the product name link for your device to view its registration details in the Service Management screen Figure 99 myZyXEL com My Product 5 Click Activate for the content filtering...

Page 224: ...k Submit under Content Filtering Trial to register for a 30 day trial period With the trial registration content filtering functions for 30 days beginning from the date you apply for the trial After the trial you cannot apply for another trial If you ve already registered an iCard s PIN number then you also cannot apply for a trial If you have applied for a trial you can still register the PIN cod...

Page 225: ...om 12 5 Checking Content Filtering Activation After you register for content filtering the web site displays a registration successful web page This does not mean the content filtering is active yet You need to wait up to ten minutes for content filtering to be activated Since there will be no content filtering activation notice you can do the following to see if content filtering is active 1 Go t...

Page 226: ...our product s name click Transfer under Manage Product to move the registered product to another pre registered user account at myZyXEL com click Delete under Manage Product to remove the product registration or click Reinstall under Manage Product to install the product again with another authentication code for up to three times If you have activated a service on a registered product you cannot ...

Page 227: ...that you configured during account registration at myZyXEL com 3 Click Reports Figure 105 Content Filtering Reports Main Screen Note The ZyWALL does not support Single User Reports at the time of writing 4 Select either Allow or Block reports Select a time period in the Select Date Range field and click Run Report 5 A chart and list of requested web site categories display in the lower half of the...

Page 228: ...Click a category to see the URLs that were requested Figure 107 Requested URLs Example 12 8 Configuration File If you restore the ZyWALL to the default rom file or upload a different rom file after you register then you must go to the Service Management screen see Figure 103 on page 223 and click Refresh in the Remark field ...

Page 229: ...for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 13 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 13 1 3 Other...

Page 230: ...g VPN applications 13 1 4 1 Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites 13 1 4 2 Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a pu...

Page 231: ...rithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Refer to Section 14 2 on page 233 for more information 13 2 2 Key Management Key management ...

Page 232: ...d forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 13 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is...

Page 233: ...g ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encr...

Page 234: ...ZyWALL 35 User s Guide 232 Chapter 13 Introduction to IPSec ...

Page 235: ...igned for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow fo...

Page 236: ...ion using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data ...

Page 237: ...dress may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 14 5 Nailed Up When you initiate an IPSec tunnel with nailed up enabled the ZyWALL automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Section 14 8 on page 238 for more on the IPSec SA lifetime In effect the IPSec tunnel becomes an always on connection after you initi...

Page 238: ...or IPSec router A see Figure 111 on page 236 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A 14 7 ID Type and Content With aggressive negotiation mode see Section 14 8 1 on page 239 the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the ZyWALL to distinguis...

Page 239: ...address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 70 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Remote Gateway Address field D...

Page 240: ...uses that SA to negotiate SAs for IPSec Figure 112 Two Phases to Set Up the IPSec SA In phase 1 you must Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Peer ID type IP Peer ID type E mail Peer ID content 1 1 1 2 Peer ID content tom yourcompany com Table 72 Mismatching ID Type and Content Configuration Example ZYWALL A ZYWALL B Loca...

Page 241: ...here is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic 14 8 1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiat...

Page 242: ...ch security so PFS is disabled None by default in the ZyWALL Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 14 9 X Auth Extended Authentication Extended authentication provides added security by allowing you to use usernames ...

Page 243: ...ork policy Click this icon to delete a gateway or network policy When you delete a gateway policy the ZyWALL automatically deletes the network policy ies associated to that gateway policy Click this icon to establish a VPN connection to a remote network This indicates that a gateway or network policy is not active 14 11 IPSec Fields Summary A VPN Virtual Private Network tunnel gives you a secure c...

Page 244: ...e network IP addresses must be static 14 12 IKE VPN Rule Summary Screen Click VPN to display the VPN Rules IKE screen This is a read only menu of your IPSec rule tunnel To add an IPSec rule or gateway policy click the add gateway policy icon Edit an IPSec rule by clicking the edit icon to configure the associated submenus Refer to Table 73 on page 241 for descriptions of the icons used in this scr...

Page 245: ...t an associated gateway policy When there is a network policy in the Recycle Bin the Recycle Bin gateway policy automatically displays in this screen See Section 14 12 2 1 on page 253 for more information 14 12 1 Configuring an IKE Gateway Policy In the VPN Rule IKE screen click the add gateway policy icon or the edit icon to display the VPN Gateway Policy Edit screen ...

Page 246: ...ZyWALL 35 User s Guide 244 Chapter 14 VPN Screens Figure 116 VPN Rules IKE Gateway Policy Edit ...

Page 247: ...N port that is in use When the WAN port operation mode is set to Active Active the ZyWALL uses the IP address static or dynamic of the primary highest priority WAN port to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN port If both WAN connections go down the ZyW...

Page 248: ...e My ZyWALL field refer to the My ZyWALL field description if you configure the local Content field to 0 0 0 0 or leave it blank It is recommended that you type an IP address other than 0 0 0 0 in the local Content field or use the DNS or E mail ID type in the following situations When there is a NAT router between the two IPSec routers When you want the remote IPSec router to be able to distingui...

Page 249: ...ss from the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection For Subject Name type the subject name of the certificate the remote IPSec router will use for this VPN connection Use up to255 ASCII characters including spaces For Any the peer Content field is not available Regardless of how you configure the ID Type and Content fields two acti...

Page 250: ... Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 180 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group ...

Page 251: ...igure a VPN policy click VPN and the add network policy icon in the VPN Rules IKE screen A screen displays as follows Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 74 VPN Rules IKE Gateway Policy Edit continued LABEL DESCRIPTION ...

Page 252: ...ZyWALL 35 User s Guide 250 Chapter 14 VPN Screens Figure 117 VPN Rules IKE Network Policy Edit ...

Page 253: ...ork and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connection idle timeout timer when it sends ...

Page 254: ...ield is configured to Single Address enter a static IP address on the network behind the remote IPSec router When the Addr Type field is configured to Range Address enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec ro...

Page 255: ...s not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec receiver can detect and reject old or duplicate packets to protect agai...

Page 256: ... displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router Gateway Policy Information Gateway Policy Select the name of a VPN rule or gateway policy to which you want to associate this VPN network policy If you ...

Page 257: ... A static IP address and a subnet mask are displayed when the Local Network Address Type field in the VPN Manual Key Edit screen is configured to Subnet Address Remote Network This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initia...

Page 258: ...he administrator associated with the SPI to establish the tunnel Note Current ZyXEL implementation assumes identical outgoing and incoming SPIs Click the edit icon on the VPN Rules Manual screen to edit VPN rules Remote Gateway Address This is the static WAN IP address or domain name of the remote IPSec router Modify Click the edit icon to edit the VPN policy Click the delete icon to remove the VP...

Page 259: ... this VPN policy You may use any character including spaces but the ZyWALL drops trailing spaces Allow NetBIOS Traffic Through IPSec Tunnel NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote...

Page 260: ...s a subnet mask on the LAN behind your ZyWALL Remote Network Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as ...

Page 261: ...escribed next Select AH if you want to use AH Authentication Header Protocol The AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field described next Encryption Algorithm Select DES 3DES or...

Page 262: ...ng Table 78 VPN Rules Manual Edit continued LABEL DESCRIPTION Table 79 VPN SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL Remote Network This field displays IP address in a range of computers on ...

Page 263: ...traffic is received from a remote IPSec router after the specified time period the ZyWALL checks the VPN connectivity If the remote IPSec router does not reply the ZyWALL automatically disconnects the VPN tunnel Enter the time period between 30 and 3600 seconds to wait before the ZyWALL checks all of the VPN connections to remote IPSec routers Enter 0 to disable this feature Gateway Domain Name Up...

Page 264: ...he telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses should not overlap Figure 123 Telecommuters Sharing One VPN Rule Example 14 16 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses use Dynamic DNS to do th...

Page 265: ...by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names Figure 124 Telecommuters Using Unique VPN Rules Example Table 82 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rul...

Page 266: ...al ID Content telecommuterb com Peer ID Content telecommuterb com Local IP Address 192 168 3 2 Remote Gateway Address telecommuterb dydns org Remote Address 192 168 3 2 Telecommuter C telecommuterc dydns org Headquarters ZyWALL 35 Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace com Local IP Address 192 168 4 15 Remote Gateway Address...

Page 267: ...cryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses Tim s public key to decrypt it 5 Ad...

Page 268: ...authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 15 2 Self signed Certificates Until public key infrastructure becomes more mature it may not be available in some areas You can have the ZyWALL act as a certification authority and sign its own certificates 15 3 Configuration Summary This section summarize...

Page 269: ...tly in use The bar turns from green to red when the maximum is being approached When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyWALL has the factory default certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use this button t...

Page 270: ... has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays ...

Page 271: ...EM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form 15 6 Importing a Certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions in this screen to save an existing certificate to the ZyWALL see the following figure Note You can only i...

Page 272: ...te enroll a certificate with a certification authority or generate a certification request see the following figure Figure 128 My Certificate Create Table 84 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the c...

Page 273: ...ps trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the...

Page 274: ...otocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF a...

Page 275: ...ZyWALL 35 User s Guide Chapter 15 Certificates 273 Figure 129 My Certificate Details ...

Page 276: ... the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certi...

Page 277: ... the ZyWALL calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You ca...

Page 278: ...nformation about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company ...

Page 279: ...have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A wind...

Page 280: ...tificate change the certificate s name and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 88 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the cert...

Page 281: ...p to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the ZyWALL not check incoming certificates t...

Page 282: ... s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash ...

Page 283: ...heir certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail...

Page 284: ...field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text...

Page 285: ...e following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 134 Remote Host Certificates 3 Double click the certificate s icon to open the Certificate window Click the Det...

Page 286: ... Remote Host s Certificate Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host s certificate to the ZyWALL see the following figure Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from...

Page 287: ...Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 91 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Ap...

Page 288: ... to identify this key certificate You may use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate s issuing certification authority For a trusted host the list consists of the...

Page 289: ... or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address ...

Page 290: ...rtificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file...

Page 291: ...nnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays th...

Page 292: ...mal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyWALL may need to au...

Page 293: ...r database for VPN extended authentication and wireless LAN security See Section 6 5 1 on page 108 for more information about RADIUS 16 2 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way 16 3 RADIUS The ZyWALL ...

Page 294: ...ZyWALL 35 User s Guide 292 Chapter 16 Authentication Server Figure 140 Local User Database ...

Page 295: ...pen the following screen where you can set up your ZyWALL s RADIUS server settings Figure 141 RADIUS Table 95 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile User Name Enter the user name of the user profile Password Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Res...

Page 296: ...shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL Accounting Server Active Select the check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Numb...

Page 297: ...he IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packe...

Page 298: ...servers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 17 1 3 How NAT Works Each packet has two addresses a source...

Page 299: ...T Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 143 NAT Application With IP Alias ...

Page 300: ...P address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 144 Port Restricted Cone NAT Example 17 1 6 NAT Mapping Types NAT supports five types of IP port mapping T...

Page 301: ...nd Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview Selecting SUA means latent multiple WAN to LAN and WAN to DMZ address translation That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping...

Page 302: ... Sessions This read only field displays the highest number of NAT sessions that the ZyWALL will permit at one time Max Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time WAN Operation Mode This read only field displays the operation mode of the ZyWALL s WAN ports WAN 1 2 Enable NAT Select this check box to tu...

Page 303: ...ber shows how many address mapping rules are configured on the ZyWALL The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL Port Forwarding Rules The bar displays how many of the ZyWALL s possible port forwarding rules are configured The first number shows how many port forwarding rules are configured on the ZyWALL The second number shows the maxi...

Page 304: ... IP This refers to the Inside Local Address ILA which is the starting local IP address If the rule is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 255 255 255 255 as the Local End IP ...

Page 305: ...on ZyXEL s Single User Account feature that previous ZyXEL routers supported only 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Modify Click the edit ico...

Page 306: ...type from one of the following 1 One to One One to one mode maps one local IP address to one global IP address Note that port numbers do not change for One to one NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature 3 Many to Many Overload Many to Many...

Page 307: ...en used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT 17 5 3 Configuring Servers Behind Port Forwarding Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the exam...

Page 308: ...gh a single WAN IP address When you use port translation with port forwarding multiple servers on the LAN or DMZ can use the same port number and still be accessible to the outside world through a single WAN IP address The following example has two web servers on a LAN Server A uses IP address 192 168 1 33 and server B uses 192 168 1 34 Both servers use port 80 The letters a b c d represent the WA...

Page 309: ...ceived for ports that are not specified here or in the remote management setup Click NAT and Port Forwarding to open the Port Forwarding screen Refer to Figure 102 on page 305 for port numbers commonly used for particular services Note The last port forwarding rule is reserved for Roadrunner services The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to ...

Page 310: ...list box to display the corresponding summary page of the port forwarding servers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Incoming Po...

Page 311: ...ecific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configu...

Page 312: ...s the labels in this screen Table 104 Port Triggering LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules This is the rule index number read only Name Type a unique name up to 15 characters for identification purposes All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN u...

Page 313: ... the LAN computer that sent the traffic to a server on the WAN Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 104 Port Triggering LABEL DESCRIPTION ...

Page 314: ...ZyWALL 35 User s Guide 312 Chapter 17 Network Address Translation NAT ...

Page 315: ...use it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyWALL about the networks beyond the remote nodes Figure 153 Example of Static Routing Topology 18 2 Configuring IP Static Route Click STATIC ROUTE to open the IP Static Route screen some of the screen s blank rows are not shown Note The first two static ro...

Page 316: ...nation This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Edit Select the radio button next to a static route index number and then click Ed...

Page 317: ...to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of ...

Page 318: ...ZyWALL 35 User s Guide 316 Chapter 18 Static Route ...

Page 319: ... of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 19 3 Routing Policy Individual routing policies are used as part of the overall IPPR process A ...

Page 320: ...PPR follows the existing packet filtering facility of RAS in style and in implementation 19 4 IP Routing Policy Setup Click POLICY ROUTE to open the Policy Route Summary screen some of the screen s blank rows are not shown Figure 156 Policy Route Summary ...

Page 321: ... is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Protocol This is the IP protocol and can be ICMP UDP TCP or ALL Action This field specifies whether action should be taken on criteria Matched or Not Matched Modify Click the edit icon to go to the screen where you can edit the routing policy on the ZyWALL Clic...

Page 322: ...licy Rule Index This is the index number of the policy route IP Protocol Select Predefined and then the IP protocol from ALL 0 ICMP 1 IGMP 2 TCP 6 UDP 17 GRE 47 ESP 50 or AH 51 Otherwise select Custom and enter a number from 0 to 255 Type of Service Prioritize incoming network traffic by choosing from Any Normal Min Delay Max Thruput Max Reliable or Mix Cost Precedence Precedence value of the inco...

Page 323: ...criteria Matched or Not Matched Routing Action Gateway Select User Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination The gateway must be a router on the same segment as your ZyWALL s LAN or WAN port Select WAN Interface to have the ZyWALL send traff...

Page 324: ...ZyWALL 35 User s Guide 322 Chapter 19 Policy Route ...

Page 325: ...and dropped packets at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 20 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class ...

Page 326: ...t based Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 158 Subnet based Bandwidth Management Example 20 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application Th...

Page 327: ...ilable bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class is not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or ...

Page 328: ...out when you do not select the maximize bandwidth option The ZyWALL divides up the unbudgeted 2048 kbps among the classes that require more bandwidth If the administration department only uses 1024 kbps of the budgeted 2048 kbps the ZyWALL also divides the remaining 1024 kbps among the classes that require more bandwidth Therefore the ZyWALL divides a total of 3072 kbps of unbudgeted and unused ba...

Page 329: ...idth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps 20 9 Bandwidth Borrowing Bandwidth borrowing allows a sub class to borrow unused bandwi...

Page 330: ...ales USA class because the Amy class has bandwidth borrowing disabled The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled The Research Software and Hardware classes can also borrow unused bandwidth from the Root class because the Research class also has bandwidth...

Page 331: ...to traffic that does not match any of the classes 20 10 Configuring Summary Click BW MGMT to open the Summary screen Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface Figure 159 Bandwidth Manager Summary The following table describes the labels in this screen Table 114 Bandwidth Manager Summary LABEL DESCRIPTION WAN1 WAN2 LAN DMZ These read only l...

Page 332: ...on page 330 The recommendation is to set this speed to match what the device connected to the port can handle For example set the WAN interface speed to 1000 kbps if the broadband device connected to the WAN port has an upstream speed of 1000 kbps Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priority Based to give preference to...

Page 333: ...k Delete to delete the class and all its sub classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class Filter List This list displays the bandwidth management filters that are configured for the classes on the selected interface The ZyWALL applies the bandwidth management filters in the order that they appear here Once a connection matches a b...

Page 334: ...e destination port for connections to which this bandwidth management filter applies Source IP Address This is the source IP address for connections to which this bandwidth management filter applies Source Port This is the source port for connections to which this bandwidth management filter applies Protocol ID This is the protocol ID service type number for connections to which this bandwidth man...

Page 335: ...e priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priority 7 is the first to...

Page 336: ...kes it easier to manage bandwidth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN Select Custom from the drop down list box if you do not want to use a predefined application for the bandwidth class When you select Custom you need to configure at least one of the following fields other than the Subnet Mask fields which you only enter i...

Page 337: ...he ZyWALL Cancel Click Cancel to exit this screen without saving Table 117 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP...

Page 338: ...ed Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 means one second ago Update Perio...

Page 339: ...s that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes a a If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assi...

Page 340: ...ZyWALL 35 User s Guide 338 Chapter 20 Bandwidth Management ...

Page 341: ...our ISP gives you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote I...

Page 342: ... to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 21 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully q...

Page 343: ...not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 21 6 The System Screen To configure your ZyWALL s DNS address and name server records click DNS The screen appears as shown Figure 165 System DNS ...

Page 344: ...ver Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server When the ZyWALL needs to resolve a domain name it checks it against the name server record entries in the order that they appear in this list A indicates a name server record without a domain zone The default record is grayed ...

Page 345: ...y up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the second level domain and com tw is the top level domain IP Address If this entry is for one of the WAN ports select WAN Interface and select WAN 1 or WAN 2 from the drop down list box For entries that are not for one of the WAN ports select Custom and enter the IP addre...

Page 346: ...n an IP address N A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP address Select Public DNS Server if you have the IP address of a DNS server The IP address must be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right Public DNS Server entries with the IP address set to 0 0 0 0 are not allowed Select Priva...

Page 347: ...nd DNS timeout period A negative response means that the ZyWALL did not receive a response for a query it sent to a DNS server within the five second DNS timeout period When the ZyWALL receives DNS queries it compares them against the DNS cache before querying a DNS server If the DNS query matches a positive entry the ZyWALL responses with the IP address from the entry If the DNS query matches a n...

Page 348: ...y queried domain names for which DNS resolution has failed and reduces the amount of traffic that the ZyWALL sends out to the WAN Negative Cache Period Type the time 60 to 3600 seconds that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen af...

Page 349: ...s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to t...

Page 350: ...o have a domain name The Dynamic DNS service provider will give you a password or key Note You must go to the Dynamic DNS service provider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 21 10 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost d...

Page 351: ...d the underscore Spaces are not allowed My Domain Names Domain Name 1 5 Enter the host names in these fields DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Select Dynamic if you have the Dynamic DNS service Select Static if you have the Static DNS service Select Custom if you have the Custom DNS service Offline This option is available when ...

Page 352: ...ormal WAN port does not have a connection If the WAN port specified in the WAN Interface field does not have a connection the ZyWALL will attempt to use the IP address of another WAN port to update the domain name When the WAN ports are in the active passive operating mode the ZyWALL will update the domain name with the IP address of whichever WAN port has a connection regardless of the setting in...

Page 353: ...ALL from a remote location via Note When you choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The ZyWALL automatically disconnects a remote management session of lower priority when another ...

Page 354: ...change the timeout period in the System screen 22 2 Introduction to HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication...

Page 355: ...erver 2 HTTP connection requests from a web browser go to port 80 by default on the ZyWALL s WS web server Figure 171 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 22 3 Configuring WWW To change your ZyWALL s web settings click REMOTE MGMT to open the WWW screen ...

Page 356: ... J on page 643 on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select a ZyWALL interface from Server Access on wh...

Page 357: ...screen if you select No then web configurator access is blocked Figure 173 Security Alert Dialog Box Internet Explorer Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Clie...

Page 358: ...is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 174 Security Certificate 1 Netscape Figure 175 Security Certificate 2 Netscape 22 4 3 Avoiding the Browser Warning Messages The following describes the main reasons that ...

Page 359: ...on name specified in the certificate that your ZyWALL sends to HTTPS clients a Click REMOTE MGMT Write down the name of the certificate displayed in the Server Certificate field b Click CERTIFICATES Find the certificate and check its Subject column CN stands for certificate s common name see Figure 179 on page 359 for an example Use this procedure to have the ZyWALL use a certificate with a common...

Page 360: ...pter 22 Remote Management Figure 176 Login Screen Internet Explorer Figure 177 Login Screen Netscape Click Login and you then see the next screen The factory default certificate is a common default certificate for all ZyWALL models ...

Page 361: ...ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 179 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 362: ... in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Figure 181 SSH Communication Example 22 6 How SSH works The following table summarizes how a secure connection is established between two remote hosts ...

Page 363: ...yption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in t...

Page 364: ...LL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 15 on page 265 for details Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may acc...

Page 365: ...er or device name for the ZyWALL 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 184 SSH Example 1 Store Host Key Enter the password to log in to the ZyWALL The SMT main menu displays next 22 9 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH c...

Page 366: ...efer to your SSH client program user s guide 1 Enter sftp 1 192 168 1 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER 2 Enter the password to login to the ZyWALL 3 Use the ...

Page 367: ...creen appears as shown sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras U...

Page 368: ...ON Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyWALL using this servic...

Page 369: ...Note SNMP is only available if TCP IP is configured Table 129 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a ...

Page 370: ...of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following...

Page 371: ...ESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebo...

Page 372: ...ult is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL using this service Secure Clie...

Page 373: ...at allows an administrator from any location to easily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details Table 132 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here Service Access Select the interface s through which a computer may send DNS queries to the ZyWALL Secure Client IP Addres...

Page 374: ...Information Registration Status This read only field displays Not Registered when Enable is not selected It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server It will continue to display Registering until it successfully registers with the Vantage CNM server It will not be able to...

Page 375: ...uter here and configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM server If the Vantage CNM server is behind a firewall you may have to create a rule on the firewall to allow UDP port 1864 traffic through to the Vantage CNM server most new ZyXEL firewalls automatically allow this Encryption Algorithm The Encryption Algorithm field is used to encrypt communications between ...

Page 376: ...ZyWALL 35 User s Guide 374 Chapter 22 Remote Management ...

Page 377: ...ear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 23 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple...

Page 378: ...writing ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested The ZyWALL only sends UPnP multicasts to the LAN Please see later in this User s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 23 3 Configuring UPnP Click UPnP to display the screen shown next Figu...

Page 379: ...mple by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have...

Page 380: ...nal IP address the NAT rule has the ZyWALL forward inbound packets to the Internal Client from that IP address only External Port This field displays the port number that the ZyWALL listens on on the WAN port for connection requests destined for the NAT rule s Internal Port and Internal Client The ZyWALL forwards incoming packets from the WAN with this port number to the Internal Client on the Int...

Page 381: ...Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 382: ...ort of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Details 5 I...

Page 383: ...anel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 384: ... With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status ...

Page 385: ... Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 386: ...ZyWALL 35 User s Guide 384 Chapter 23 UPnP 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 387: ...S to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 24 3 on page 387 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error...

Page 388: ...ime the log was recorded See Section 25 5 on page 398 to configure the ZyWALL s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entry E...

Page 389: ...es such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Note Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full see Log Schedule Selecting many alert and or log categories especially Access Contr...

Page 390: ...ZyWALL 35 User s Guide 388 Chapter 24 Logs Screens Figure 198 Log Settings ...

Page 391: ...wn list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication SMTP Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another Select the check box to activate SMTP authenticati...

Page 392: ...s when an individual web page loads it may contain references to other web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits thus the web hit count is not yet 100 accurate To change your ZyWALL s log reports click LOGS then the Reports tab The scr...

Page 393: ...he ZyWALL Reset Click Reset to begin configuring this screen afresh Interface Select on which interface LAN or DMZ the logs will be collected The logs on the DMZ or LAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have...

Page 394: ...x to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Table 140 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN The names are ranked by the number of visits to each web site and listed in d...

Page 395: ... Table 141 Protocol Port Report LABEL DESCRIPTION Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN or DMZ This fi...

Page 396: ... WAN to the LAN or DMZ This field displays Outgoing to denote traffic that is going out from the LAN or DMZ to the WAN Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kbytes Mbytes or Gbytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traffic sent to and ...

Page 397: ...tification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click Start My Computer View system information and then click the Comput...

Page 398: ...not allowed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or SMT can be left idle before ...

Page 399: ...onization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried Table 145 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type your new system password up to 30 characters N...

Page 400: ...date click MAINTENANCE then the Time and Date tab The screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 205 Time and Date ntp cs strath ac uk ntp1 sp se time1 stupi se tick stdtime gov tw tock stdtime gov tw time stdtime gov tw Table 146 Default Time Servers ...

Page 401: ...y Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the...

Page 402: ... Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The ...

Page 403: ...ful the following screen appears Click Return to go back to the Time and Date screen Figure 208 Synchronization Fail 25 6 Introduction to Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port All fu...

Page 404: ...s flooded to all ports except the inbound port Broadcasts and multicasts also are flooded in this way If the associated port is the same as the incoming port then the frame is dropped filtered 25 7 Transparent Firewalls A transparent firewall also known as a transparent in line shadow stealth or bridging firewall has the following advantages over router firewalls 1 The use of a bridging firewall r...

Page 405: ... click MAINTENANCE then the Device Mode tab When the ZyWALL is in router mode the screen appears as shown next Figure 209 Device Mode Router Mode The following table describes the labels in this screen Table 149 Device Mode Router Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router When the ZyWALL i...

Page 406: ...nfigured in the IP Address field to access the ZyWALL again Reset Click Reset to begin configuring this screen afresh Table 150 Device Mode Bridge Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode LAN Interface IP Address En...

Page 407: ...acting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP ad...

Page 408: ...ocess The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 151 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decom...

Page 409: ... not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 214 Firmware Upload Error 25 10 Configuration Screen See Section 40 5 on page 530 for transferring configuration files using FTP TFTP commands Click MAINTENANCE and then the Configuration tab Information related to factory defaults backup configuration and restoring configuration appears as sho...

Page 410: ... in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 25 10 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL Table 152 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this f...

Page 411: ...ime causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 217 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See your Quick Start Guide for details on how to set up your...

Page 412: ...e screen The following warning screen will appear Figure 219 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL Refer to Section 2 3 on page 58 for more information on the RESET button 25 11 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off Click MAINTENANCE and then Restart Click Restar...

Page 413: ...ZyWALL 35 User s Guide Chapter 25 Maintenance 411 Figure 220 Restart Screen ...

Page 414: ...ZyWALL 35 User s Guide 412 Chapter 25 Maintenance ...

Page 415: ... Terminal menus via console port how to navigate the SMT and how to configure SMT menus 26 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud...

Page 416: ... SMT is an interface that you use to configure your ZyWALL Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Copyright c 1994 2005 ZyXEL Communications Corp initialize ch 0 ethernet address 00 A0 C5 01 23 45 initialize ch 1 ethernet address 00 A0 C5 01 23 46 initialize ch 2 ethernet address 00 A0 C5 01 23 47 initialize ...

Page 417: ...BAR then press ENTER to select from choices You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields All fields with the symbol must be filled in order be able to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This ...

Page 418: ...1 Remote Node Setup 12 Static Routing Setup 15 NAT Setup 99 Exit Enter Menu Selection Number Copyright c 1994 2004 ZyXEL Communications Corp ZyWALL 35 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter and Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 99 Exit Enter Menu Selection Number Table 154 Main Menu Summary NO MENU TITLE FUNCTION 1 Genera...

Page 419: ...g 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Password Change your password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 25 IP Routing Policy Setup From displaying system status to uploading firmware this menu provides comprehensive system maintenance 26 ...

Page 420: ...ons 11 3 3 Remote Node Script 11 3 4 Remote Node Filter 12 Static Routing Setup 12 1 Edit Static Route Setup 15 NAT Setup 15 1 Address Mapping Sets 15 1 x Address Mapping Rules 15 1 x x Address Mapping Rule 15 2 NAT Server Sets 15 2 x NAT Server Setup 15 2 x x NAT Server Configuration 15 3 Trigger Ports 15 3 x Trigger Port Setup 21 Filter and Firewall Setup 21 1 Filter Set Configuration 21 1 x Fil...

Page 421: ...nd Trace 24 3 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Management 24 9 2 Call History 24 10 Time and Date Setting 24 11 Remote Management Setup 25 IP ...

Page 422: ...d and press ENTER 4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an x for each character you type 26 5 Resetting the ZyWALL See Section 2 3 on page 58 for directions on resetting the ZyWALL Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL ...

Page 423: ...e Router Mode Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 156 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Domain ...

Page 424: ...ddress 172 21 5 22 Network Mask 255 255 0 0 Gateway 172 21 0 254 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 157 Menu 1 General Setup Bridge Mode FIELD DESCRIPTION Device Mode Press SPACE BAR and then ENTER to select Bridge Mode IP Address Enter the IP address of your...

Page 425: ...nu 1 or the MAINTENANCE Device Mode screen 2 Enter 1 in the main menu to open Menu 1 General Setup 3 Press SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 158 Menu 1 1 Configure Dynamic DNS ...

Page 426: ...5 _______________________________________________________ _______________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 159 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete N...

Page 427: ... Off Line Option This field is only available when CustomDNS is selected in the DDNS Type field Press SPACE BAR and then ENTER to select Yes When Yes is selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details Bind WAN Enter the WAN port to use for updating the IP address of the domain name HA Press SPACE BAR and then ENTER to se...

Page 428: ...he ZyWALL and the DDNS server Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Use Specified IP Address Press SPACE BAR to select Yes and then...

Page 429: ... to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection 28 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 231 MAC Address Cloning in WAN Setup Menu 2 WAN Setup WAN 1 MAC Address Assigned By Factory default IP Address N A WAN 2 MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String ...

Page 430: ...formation on an alternate backup WAN connection 28 4 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 161 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 2 MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address at...

Page 431: ...TION Dial Backup Active Use this field to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your W...

Page 432: ... Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR ...

Page 433: ...ber before blacklisting the number Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of sec...

Page 434: ...he PPP options for this remote node This brings you to Menu 11 3 1 Remote Node PPP Options see Section 28 7 on page 433 Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 2 Remote Node Network Layer Options See Section 28 8 on page 433 for more information Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script...

Page 435: ...ffic from the ZyWALL to the remote node that can elapse before the ZyWALL automatically disconnects the PPP connection This option only applies when the ZyWALL initiates the call Once you have configured this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 165 Menu 11 3 Remote Node Profile Backup ISP continued FIELD DESCRIP...

Page 436: ... WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Enter your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote router Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used ...

Page 437: ...l use the pre configured Set 1 in menu 15 1 for the first WAN port Set 2 in menu 15 1 for the second WAN port and Set 3 for the Backup port Refer to Section 35 2 on page 473 in Chapter 35 on page 471 for more information Metric Enter a number from 1 to 15 to set this route s priority among the ZyWALL s routes The smaller the number the higher priority the route has Private This parameter determine...

Page 438: ...cessing and start PPP negotiation This implies two things first the sets must be contiguous the sets after an empty one are ignored Second the last set should match the final message sent by the server For instance if the server prints login successful Starting PPP after you enter the password then you should create a third set to match the final PPP but without a Send string Otherwise the ZyWALL ...

Page 439: ...filter field Note that spaces are accepted in this field Please refer to Chapter 37 on page 493 for more information on defining the filters Figure 238 Menu 11 3 4 Remote Node Filter Table 168 Menu 11 3 3 Remote Node Script FIELD DESCRIPTION Active Press SPACE BAR and then ENTER to select either Yes to enable the AT strings or No to disable them Set 1 6 Expect Enter an Expect string to match After...

Page 440: ...ZyWALL 35 User s Guide 438 Chapter 28 WAN and Dial Backup Setup ...

Page 441: ... the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 239 Menu 3 LAN Setup 29 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Set...

Page 442: ... IP and DHCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and D...

Page 443: ...If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients When set to Server the following items need to be set Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address...

Page 444: ...h In Only Out Only or None Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group The ZyWALL supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press SPACE BAR and then ENTER to enable IP Multicasting or select None defa...

Page 445: ...LAN network for the ZyWALL IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Onl...

Page 446: ...XEL Hide ESSID No Channel ID CH06 2437MHz RTS Threshold 2432 Frag Threshold 2432 WEP 64 bit WEP Default Key 1 Key1 Key2 Key3 Key4 Edit MAC Address Filter No Press ENTER to Confirm or ESC to Cancel Table 172 Menu 3 5 Wireless LAN Setup FIELD DESCRIPTION Enable Wireless LAN Press SPACE BAR to select Yes to turn on the wireless LAN The wireless LAN is off by default Configure wireless LAN security fe...

Page 447: ...Frag Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 WEP Select Disable to allow wireless stations to communicate with the access points without any data encryption Select 64 bit WEP or 128 bit WEP to enable data encryption Default Key Enter the key number 1 to 4 in...

Page 448: ...5 1 WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering press SPACE BAR to select Yes and press ENTER Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table To deny access to the ZyWALL press SPACE BAR to select Deny Association and press ENTER MAC addresses not listed will be allowed to access the router The default action...

Page 449: ... Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use 30 2 Ethernet Encapsulation If you choose Ethernet in menu 4 you will see the next menu Figure 246 Menu 4 Internet Access Setup Ethernet Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N...

Page 450: ...ALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins IP Address Assignment If your ISP did not assign you a fixed IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address and subnet mask in the following fields IP Address Enter the fixed IP address assigned...

Page 451: ...you choose PPTP in the Encapsulation field in menu 4 30 4 Configuring the PPPoE Client If you enable PPPoE in menu 4 you will see the next screen For more information on PPPoE please see Appendix D on page 601 Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPTP Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subn...

Page 452: ...the Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPPoE Service Type N A My Login My Password Retype to ...

Page 453: ...to specify the filter sets that you wish to apply to your public server s traffic Figure 250 Menu 5 1 DMZ Port Filter Setup 31 3 TCP IP Setup For more detailed information about RIP setup IP Multicast and IP alias please refer to Chapter 4 on page 89 Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters...

Page 454: ... how to configure these fields Note DMZ and LAN IP addresses must be on separate subnets You must also configure NAT for the DMZ port see Chapter 35 on page 471 in menus 15 1 and 15 2 31 3 2 IP Alias Setup You must use menu 5 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing E...

Page 455: ...ias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL ...

Page 456: ...ZyWALL 35 User s Guide 454 Chapter 31 DMZ Setup ...

Page 457: ...figure traffic redirect properties Figure 255 Menu 6 1 Route Assessment Menu 6 Route Setup 1 Route Assessment 2 Traffic Redirect 3 Route Failover Enter Menu Selection Number Menu 6 1 Route Assessment Probing WAN 1 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing WAN 2 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing Traffic Redirection Ch...

Page 458: ... Point Press SPACE BAR and then press ENTER to choose Yes to test your ZyWALL s traffic redirect connection If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer for example your ISP s DNS server address in the Check Point field the ZyWALL will use the default gateway IP address When you have completed this menu ...

Page 459: ...Press ENTER to Confirm or ESC to Cancel Table 179 Menu 6 3 Route Failover FIELD DESCRIPTION Period Type the number of seconds for the ZyWALL to wait between checks to see if it can connect to the WAN IP address in the Check Point field of menu 6 1 or the default gateway Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds for your ZyWALL to wait...

Page 460: ...ZyWALL 35 User s Guide 458 Chapter 32 Route Setup ...

Page 461: ... 2 Remote Node Profile Menu 11 x 2 Remote Node Network Layer Options and Menu 11 x 4 Remote Node Filter 33 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Then enter 1 or 2 to open Menu 11 x Remote Node Profile and configure the setup for your first or second WAN port Enter 3 to open Menu 11 3 Remote Node Profile Backup ISP and configure t...

Page 462: ...for Ethernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP encapsulation Service Type Press SPACE BAR ...

Page 463: ... Service Type field The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins Route This field refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go t...

Page 464: ... of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate serv...

Page 465: ...field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour Schedules You can apply up to four schedule...

Page 466: ... 100 Server IP Addr 10 0 0 138 Connection ID Name Press ENTER to Confirm or ESC to Cancel Table 182 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter the IP address of the WAN Ethernet port My...

Page 467: ...encapsulation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the ...

Page 468: ...from 1 to 15 to set this route s priority among the ZyWALL s routes see Section 7 5 on page 132 in Chapter 7 on page 127 The smaller the number the higher priority the route has Private This field is valid only for PPTP PPPoE encapsulation This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not includ...

Page 469: ... Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 470: ...ZyWALL 35 User s Guide 468 Chapter 33 Remote Node Setup ...

Page 471: ...amic WAN IP address indicating the static route is inactive Figure 265 Menu 12 IP Static Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 Reserved 16 ________ 31 ________ 46 ________ 2 Reserved 17 ________ 32 ________ 47 ________ 3 ________ 18 ________ 33 ________ 48 ________ 4 ________ 19 ________ 34 ________ 49 ________ 5 _____...

Page 472: ... subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the gateway must b...

Page 473: ... types of mapping Many to One and Server See Section 35 2 1 on page 474 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Note Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple ...

Page 474: ...ying NAT to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Node ...

Page 475: ...nu to bring up the following screen Figure 269 Menu 15 NAT Setup Note Configure DMZ and LAN IP addresses in NAT menus 15 1 and 15 2 DMZ IP addresses must be on subnets separate from LAN IP addresses Table 185 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 1 see Section 35 2 1 on page 47...

Page 476: ...1 on page 471 The fields in this menu cannot be changed Figure 271 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this menu Menu 15 1 Address Mapping Sets 1 NAT_SET 2 NAT_SET 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0...

Page 477: ...e name of the set you selected in menu 15 1 or enter the name of a new set you want to create Idx This is the index or rule number Local Start IP Local Start IP is the starting local IP address ILA Local End IP Local End IP is the ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global I...

Page 478: ... configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 Note You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting a rule N...

Page 479: ...ect Rule When you choose Edit Insert Before or Delete in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start End N A Global IP Start End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Table 188 Menu 15 1 1 1 Editing Configuring an Individual Rule in a ...

Page 480: ... for the WAN 1 port Global IP Start Enter the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types Server Mapping Set This field is available only when you select ...

Page 481: ...5 2 1 2 NAT Server Configuration Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel 15 2 1 2 ...

Page 482: ...tion to Ethernet and the Service Type to something other than Standard Table 189 Menu 15 2 1 2 NAT Server Configuration FIELD DESCRIPTION WAN The ZyWALL has two WAN ports You can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port This is the WAN port server set you select in menu 15 2 Index This is the index number of an indiv...

Page 483: ...4 1 Internet Access Only In the following Internet access example you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No ...

Page 484: ...n page 481 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N...

Page 485: ...ver All departments share the same router The example will reserve one IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two uni directional as follows Menu 15 2 1 NA...

Page 486: ...t like this Figure 283 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 284 2 Then enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set...

Page 487: ...ork Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation SUA Only Metric 2 Private RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER t...

Page 488: ... to go to Menu 15 2 NAT Server Sets 3 Now enter 1 from this menu and configure it as shown in Figure 287 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to...

Page 489: ... such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80...

Page 490: ...ddress Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M 1 1 2 3 4 5 6 7 8 9 1...

Page 491: ...t a service with a specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you d...

Page 492: ...ters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Enter a port number or the starting port number in a range of port numbers End Port Enter a port number or the...

Page 493: ...tion to display the screen shown next Figure 292 Menu 21 Filter and Firewall Setup 36 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu ...

Page 494: ...tects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER t...

Page 495: ...lowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data f...

Page 496: ...ilter rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming tel...

Page 497: ...onfiguration 495 Figure 295 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 498: ... 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary This screen shows the summary of the existing rules in the filter set The following tables contain a brief description of the abbreviations used in the previous menus Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filter Fil...

Page 499: ...are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately an...

Page 500: ...Filter Rule as shown next Figure 298 Menu 21 1 1 1 TCP IP Filter Rule The following table describes how to configure your TCP IP filter rule Menu 21 1 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr IP Mask Port Port Comp None Source IP Addr IP Mask Port Port Comp None TCP Estab N A More No Log None Action Matched Che...

Page 501: ...stab This field is applicable only when the IP Protocol field is 6 TCP Press SPACE BAR and then ENTER to select Yes to have the rule match packets that want to establish a TCP connection SYN 1 and ACK 0 if No it is ignored More Press SPACE BAR and then ENTER to select Yes or No If Yes a matching packet is passed to the next filter rule before an action is taken if No the packet is disposed of acco...

Page 502: ...r s Guide 500 Chapter 37 Filter Configuration Figure 299 Executing an IP Filter 37 2 3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is ...

Page 503: ...ric Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 194 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule co ordinates i e 2 3 refers to the second filter set and the third ru...

Page 504: ...g packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be No Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not ma...

Page 505: ...d A Y a TCP IP filter rule Type IP Pr 6 for destination telnet ports DP 23 Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward ...

Page 506: ...neric filter rules act on the raw data from to LAN and WAN Protocol filter rules act on the IP packets Generic and TCP IP filter rules are discussed in more detail in the next section When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefor...

Page 507: ...nd output filter sets filter outgoing traffic from the ZyWALL For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Figure 305 Filtering LAN Traffic 37 6 2 Applying DMZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter ...

Page 508: ...bers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 307 Filtering Remote Node Traffic Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 11 1 4 Remote Node Filter ...

Page 509: ...sted Host 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 195 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station...

Page 510: ...RIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooti...

Page 511: ...on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter...

Page 512: ...ent LAN 00 A0 C5 01 23 45 192 168 1 1 255 255 255 0 Server WLAN 00 00 00 00 00 00 DMZ 00 A0 C5 01 23 47 0 0 0 0 0 0 0 0 None System up Time 2 35 47 Press Command COMMANDS 1 2 Drop WAN1 2 9 Reset Counters ESC Exit Table 197 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies a port WAN1 WAN2 LAN WLAN or DMZ on the ZyWALL Status This field shows the port speed and dupl...

Page 513: ...u 24 2 System Information and Console Port Speed 39 3 1 System Information System Information gives you information about your system as shown below More specifically it gives you information on your routing protocol Ethernet address IP address etc DHCP This is the DHCP setting of the port listed on the left System up Time This is the total time the ZyWALL has been on You may enter 1 to drop the W...

Page 514: ...70 F7 EB IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 198 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version o...

Page 515: ...main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 314 Menu 24 3 System Maintenance Log and Trace Examples of typical e...

Page 516: ...56 2004 PINI INFO Last errorlog repeat 1 Times 59 Thu Jul 1 05 54 56 2004 PINI INFO main init completed 60 Thu Jul 1 05 55 26 2004 PSSV WARN SNMP TRAP 0 cold start 61 Thu Jul 1 05 56 56 2004 PINI INFO SMT Session Begin 62 Thu Jul 1 07 50 58 2004 PINI INFO SMT Session End 63 Thu Jul 1 07 53 28 2004 PINI INFO SMT Session Begin Clear Error Log y n Menu 24 3 2 System Maintenance Syslog Logging Syslog ...

Page 517: ...102 2 ZyXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxx...

Page 518: ...at SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZyXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZyXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZyXEL ppp CCP Closing Firewall Log Message Format SdcmdSyslogSend SYSLOG_FIRE...

Page 519: ...w to get to Menu 24 4 System Maintenance Diagnostic IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header...

Page 520: ...ss Assignment field in menu 4 or menu 11 x 2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 319 WAN LAN DHCP The following table describes the dia...

Page 521: ... the Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to Chapter 30 on page 447 for more details This feature is only available for dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL WAN If you entered 2 or 3 in the Enter Menu Selection Number field enter the number of the WAN port in this field Host IP Addres...

Page 522: ...ZyWALL 35 User s Guide 520 Chapter 39 System Information Diagnosis ...

Page 523: ...site to use to upgrade your ZyWALL s performance 40 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing...

Page 524: ...t ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the do...

Page 525: ...he ZyWALL to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as ...

Page 526: ...tp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 202 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to...

Page 527: ...ys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the ZyWAL...

Page 528: ...tem Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Table 203 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL 192 168 1 1 is the ZyWALL s default IP address when shipped Send Fetch Use Send to upload the file to the ZyWALL and Fetch to back up ...

Page 529: ...ation before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Note WARNING Do not interrupt th...

Page 530: ...uit to exit the ftp prompt The ZyWALL will automatically restart after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfi...

Page 531: ...lar 1 Display menu 24 6 and enter y at the following screen Figure 328 System Maintenance Restore Configuration 2 The following screen indicates that the Xmodem download has started Figure 329 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ftp put config rom rom 0 200 Port command okay 150 Open...

Page 532: ... you how to upload firmware and configuration files You can upload configuration files by following the procedure in Section 40 4 on page 527 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port Note WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL 40 5 1 Firmware File Upload FTP is the pre...

Page 533: ...er a successful firmware upload For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follo...

Page 534: ...mware File Upload Figure 334 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Section 40 3 5 on page 524 to read about configurations that disallow TFTP and FTP over WAN 40 5 5 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP ...

Page 535: ...TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the ZyWAL...

Page 536: ...re upload process has completed the ZyWALL will automatically restart 40 5 10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter ...

Page 537: ...process has completed restart the ZyWALL by entering atgo Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restar...

Page 538: ...ZyWALL 35 User s Guide 536 Chapter 40 Firmware and Configuration File Maintenance ...

Page 539: ...nly available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Note Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 339 Command Mode in Menu 24 41 1 1 Command Syntax The command keywords are in courier new font Enter the command keywords exactl...

Page 540: ...ge bm certificates 8021x radius ras Table 204 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether These commands display Ethernet information and configure Ethernet settings aux These commands display dial backup information and control dial backup connections ip These commands ...

Page 541: ...tal outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 341 Call Control 41 2 1 Budget Management Menu 24 9 1 shows the budget man...

Page 542: ...ing and outgoing calls Enter 2 from Menu 24 9 System Maintenance Call Control to bring up the following menu Menu 24 9 1 Budget Management Remote Node Connection Time Total Budget Elapsed Time Total Period 1 WAN_1 No Budget No Budget 2 WAN_2 No Budget No Budget 3 Dial No Budget No Budget Reset Node 0 to update screen Table 205 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index...

Page 543: ...enu 24 in the main menu to open Menu 24 System Maintenance as shown next Menu 24 9 2 Call History Phone Number Dir Rate call Max Min Total 1 2 3 4 5 6 7 8 9 10 Enter Entry to Delete 0 to exit Table 206 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This is th...

Page 544: ...tem Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Upload Firmware 8 Command Interpreter Mode 9 Call Control 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number Menu 24 10 System Maintenance Time and Date Setting Time Protocol NTP RFC 1305 Time Server Address a ntp alphazed net Current Time 08 24 26 New T...

Page 545: ... this menu New Date Enter the new date in year month and day format This field is available when you select Manual in the Time Protocol field Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Time GMT Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local ...

Page 546: ... United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select Oct Last Sun and type 02 in the hr field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Oct Last Sun The t...

Page 547: ...ich ZyWALL interface if any from which computers You may manage your ZyWALL from a remote location via Note When you Choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Internet WAN only A...

Page 548: ...eld shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the ZyWALL Access Select the access interface if any by pressing SPACE BAR then ENTER to choose from LAN only WAN only DMZ only ALL or Disable Secure Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the ZyWALL Enter an ...

Page 549: ...e disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 4 There is an SMT console session running 5 There is already another remote management session with an equal or higher priority running You may only have one remote management session running at...

Page 550: ...ZyWALL 35 User s Guide 548 Chapter 42 Remote Management ...

Page 551: ...T NM PR 0 GW 192 168 1 1 T MT PR 0 002 N ____________________________________________________________________ ____________________________________________________________________ 003 N ____________________________________________________________________ ____________________________________________________________________ 004 N ____________________________________________________________________ __...

Page 552: ... rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively Select Rule Type the policy index number you wish to edit or delete and then press ENTER When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to sav...

Page 553: ...recedence 0 Edit policy to packets received from No Press ENTER to Confirm or ESC to Cancel Table 211 Menu 25 1 IP Routing Policy Setup FIELD DESCRIPTION Rule Index This is the index number of the routing policy selected in Menu 25 IP Routing Policy Summary Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria IP Protocol Enter a number that represents an IP layer 4 p...

Page 554: ...Type field Defines the outgoing gateway address The gateway must be on the same subnet as the ZYWALL if it is on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Remote Node Idx This field displays if you selected Remote Node in the Gateway Type field Type 1 for WAN port 1 or 2 for WAN port 2 Redirect Packet This field applies if you...

Page 555: ...nts the configured IP route Menu 25 1 1 IP Routing Policy Setup Apply policy to packets received from LAN No DMZ No ALL WAN Yes Selected Remote Node index N A Press ENTER to Confirm or ESC to Cancel Table 212 Menu 25 1 1 IP Routing Policy Setup FIELD DESCRIPTION LAN DMZ ALL WAN Press SPACE BAR to select Yes or No Choose Yes and press ENTER to apply the policy to packets received on the specific in...

Page 556: ...o apply the policy to packets received on the LAN port 3 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 192 168 1 33 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end...

Page 557: ... 6 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 2 Active No Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 0 0 0 0 end N A port start 0 end N A Destination addr start 0 0 0 0 end N A port start 20 end 21 Action Matched Gateway Type IP Address Gate...

Page 558: ...ZyWALL 35 User s Guide 556 Chapter 43 IP Policy Routing ...

Page 559: ...d sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node Note To delete a sch...

Page 560: ... to activate the schedule set How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusive If Once is selected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Start Date Enter the start date when you wish the...

Page 561: ... period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your c...

Page 562: ...Active Yes Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel ...

Page 563: ...or or cord connected to the ZyWALL and to an appropriate power source If the error persists you may have a hardware problem In this case you should contact your vendor Table 215 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access the ZyWALL from the LAN Check your Ethernet cable type and connections Refer to the Quick Start Guide for LAN connection instructions Make sure the ...

Page 564: ...Table 217 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP address from the ISP The ISP provides the WAN IP address after authentication Authentication may be through the user name and password the MAC address or the host name Use the following corrective actions to make sure the ISP can authenticate your connection You need a username and password if you re using PPPo...

Page 565: ...yWALL from the LAN or WAN Refer to Section 22 1 1 on page 351 for scenarios when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN Refer to Section 45 2 on page 561 for instructions on checking your LAN connection Refer to Section 45 4 on page 562 for instructions on ...

Page 566: ... checking your LAN connection Check that you have enabled web service access If you have configured a secured client IP address your computer s IP address must match it Refer to the chapter on remote management for details Your computer s and the ZyWALL s IP addresses must be on the same subnet for LAN access If you changed the ZyWALL s LAN IP address then enter the new one as the URL Remove any f...

Page 567: ...eption for your device s IP address 45 7 1 1 1 Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 357 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy 2 Clear the Block pop ups check box in the Pop up Bl...

Page 568: ...ave this setting 45 7 1 1 2 Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 569: ...eshooting 567 Figure 359 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP address to the list of Allowed sites ...

Page 570: ... Click Close to return to the Privacy screen 6 Click Apply to save this setting 45 7 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab ...

Page 571: ... 361 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Click OK to close the window ...

Page 572: ...s Java Scripting 45 7 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window ...

Page 573: ...shooting 571 Figure 363 Security Settings Java 45 7 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 574: ...ZyWALL 35 User s Guide 572 Chapter 45 Troubleshooting Figure 364 Java Sun ...

Page 575: ...ort WAN1 WAN2 Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet port DMZ Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet port Reset Button Restores factory default settings Console RS 232 DB9F Dial Backup RS 232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card Operation Temperature 0º C 50º C Storage Temperature 30º C 60º C Operation Humidity 20 95 RH...

Page 576: ...uth User Authentication Internal Database and External RADIUS DH1 2 RSA signature Content Filtering Web page blocking by URL keyword IKE PKI support External database content filtering Java ActiveX Cookie News blocking Traffic Management Guaranteed Maximum Bandwidth Policy based Traffic shaping Priority bandwidth utilization Static Routes High Availability HA Auto fail over fall back Dial Backup D...

Page 577: ...oint Protocol link layer protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Other Features Transparent Firewall Bridge mode Load Balancing Dynamic DNS IP Alias Static Routes IP Policy Routing Bandwidth Management Table 4 Feature Specifications FE...

Page 578: ... pin connector end of the PCMCIA or CardBus wireless LAN card into the slot as shown next Note Only certain ZyXEL wireless LAN cards are compatible with the ZyWALL Do not force bend or twist the wireless LAN card Number of DNS Address Record Entries 8 Number of DNS Name Server Record Entries 16 Table 4 Feature Specifications continued FEATURE SPECIFICATION Table 5 Compatible ZyXEL WLAN Cards and S...

Page 579: ...unications connection generally a computer is DTE Data Terminal Equipment and a modem is DCE Data Circuit terminating Equipment The ZyWALL is DCE when you connect a computer to the console port The ZyWALL is DTE when you connect a modem to the dial backup port 1 Figure 2 Console Dial Backup Port Pin Layout 1 Pins 2 3 and 5 are used ...

Page 580: ...these pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments ZyWALLs with a CON AUX port also have a 9 pin adaptor for the console cable with these pin assignments on the male end Table 7 North American AC Power Adaptor Specifications AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz 0 25A Output power DC1...

Page 581: ...standards TUV CE EN 60950 Table 9 UK AC Power Adaptor Specifications AC Power Adapter model AD 1201200DK Input power AC230Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 10 W Plug United Kingdom standards Safety standards TUV CE EN 60950 BS7002 Table 10 Japan AC Power Adaptor Specifications AC Power Adapter model JOD 48 1124 Input power AC100Volts 50 60Hz 27VA Output power DC12Volts ...

Page 582: ... s Guide 580 Appendix A Product Specifications Power consumption 10 W Plug Australia and New Zealand standards Safety standards NATA AS 3260 Table 11 Australia and New Zealand AC Power Adaptor Specification continued ...

Page 583: ...1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that y...

Page 584: ...icrosoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK I...

Page 585: ...dapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 5 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information...

Page 586: ...se the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gat...

Page 587: ...uter s IP Address 585 Figure 7 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 8 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 588: ...ections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 10 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 589: ...re additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default ...

Page 590: ...e General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 591: ...ork Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Mac...

Page 592: ...ing up Your Computer s IP Address Figure 14 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 15 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 593: ...ck Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 16 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the ...

Page 594: ...ng From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 595: ...ess the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for futu...

Page 596: ...subnetting the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of ze...

Page 597: ...he network 192 168 1 0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 168 1 128 with mask 255 255 255 128 Table 15 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 ...

Page 598: ...5 255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Table 17 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 101...

Page 599: ...0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 20 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 111111...

Page 600: ... 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 23 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 24 Class C Subnet Planning N...

Page 601: ...subnetting The following table is a summary for class B subnet planning Table 25 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 1...

Page 602: ...ZyWALL 35 User s Guide 600 Appendix C IP Subnetting ...

Page 603: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP to use th...

Page 604: ...ess Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the computer and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the comp...

Page 605: ...is that it requires one separate ATM VC per destination Figure 20 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a computer to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network t...

Page 606: ...lity The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Figure 21 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the computer and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an RFC...

Page 607: ...ssage Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 608: ...ZyWALL 35 User s Guide 606 Appendix E PPTP ...

Page 609: ...rk or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 23 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS tr...

Page 610: ...ed connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the sa...

Page 611: ...overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range...

Page 612: ...smission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the ...

Page 613: ...ng preamble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in noisy networks Select Dynamic to have the AP automatically use short preamble when all wireless stations support it otherwise the AP...

Page 614: ... wireless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the ...

Page 615: ...anged is also encrypted to protect the network from unauthorized access EAP Authentication EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server per...

Page 616: ...authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless stations for mutual authentication The serv...

Page 617: ...ation EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access poi...

Page 618: ...age using the AP s default WEP key If the decrypted message matches the challenge text the wireless station is authenticated When your device authentication method is set to open system it will only accept open system authentication requests The same is true for shared key authentication However when it is set to auto authentication the device will accept either type of authentication request and ...

Page 619: ...age Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique...

Page 620: ...word guessing attacks but it s still an improvement over WEP as it employs an easier to use consistent single alphanumeric password Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Roaming A wireless...

Page 621: ...AN about the change The new information is then propagated to the other access points on the LAN An example is shown in Figure 29 If the roaming feature is not enabled on the access points information is not communicated between the access points when a wireless station moves between coverage areas The wireless station may not be able to communicate with other wireless stations on the network and ...

Page 622: ...E 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station 3 The adjacent access points should use different radio channels when their coverage areas overlap 4 All access points must use the same port number to relay roaming information 5 The access points must be connected to the Ethernet and be able ...

Page 623: ...ing data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the SYN packet throug...

Page 624: ...faces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet to Gateway B which is in th...

Page 625: ...This ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Figure 33 Gateways on the WAN Side How To Configure Triangle Route 1 From the SMT main menu enter 24 2 Enter 8 in menu 24 to enter CI command mode 3 Use the following command to allow triangle route sys firewall ignore triangle all on or this command to disallow triangle route sys ...

Page 626: ...ZyWALL 35 User s Guide 624 Appendix G Triangle Route ...

Page 627: ...as a SIP address A complete SIP identity is called a SIP URI Uniform Resource Identifier A SIP account s URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail account The format of a SIP identity is SIP Number SIP Service Domain SIP Number The SIP number is the part of the SIP URI that comes before the symbol A SIP number can use letters like in an e mai...

Page 628: ...sends SIP requests A SIP server responds to the SIP requests When you use SIP to make a VoIP call it originates at a client and terminates at a server A SIP client could be a computer or a SIP phone One device can act as both a SIP client and a SIP server SIP User Agent Server A SIP user agent server can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communi...

Page 629: ...ess to an IP address and sends the translated IP address back to the device that sent the request Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example you want to use client device A to call someone who is using client device C 1 Client device...

Page 630: ...s through NAT by examining and translating IP addresses embedded in the data stream When a VoIP device SIP client behind the SIP ALG registers with the SIP register server the SIP ALG translates the device s private IP address inside the SIP data stream to a public IP address You do not need to use STUN if your VoIP device is behind the SIP ALG STUN STUN Simple Traversal of User Datagram Protocol ...

Page 631: ...LL dynamically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN The SIP ALG on the ZyWALL supports all NAT mapping types including One to One Many to One Many to Many Overload and Many One to One SIP ALG and Firewall The ZyWALL creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN The firewall rule is cre...

Page 632: ...le behind the ZyWALL without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling Session Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no call during the ZyW...

Page 633: ... manually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Remote Gateway Address to 0 0 0 0 A single dynamic rule can support multiple simultaneous incoming IPSec connections All users of a dynamic rule have the same pre shared key You may need to change the pre shared key if one of the users leaves See the support n...

Page 634: ... Address settings with your own values VPN Configuration This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the following screen Click the add gateway policy icon to add an IPSec rule or gateway policy Figure 38 VPN Rules 2 Configure the screens in the headquarters and the branch office as follows and click Apply The pre shared key must be exactly...

Page 635: ...ZyWALL 35 User s Guide Appendix I VPN Setup 633 Figure 39 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router ...

Page 636: ...Guide 634 Appendix I VPN Setup Figure 40 Branch Office Gateway Policy Edit 3 Click the add network policy icon next to the BRANCH gateway policy to configure a VPN policy The IP address of the headquarters IPSec router ...

Page 637: ...WALL 35 User s Guide Appendix I VPN Setup 635 Figure 41 Headquarters VPN Rule Figure 42 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply ...

Page 638: ...ZyWALL 35 User s Guide 636 Appendix I VPN Setup Figure 43 Headquarters Network Policy Edit IP addresses on different subnets Activate the network policy ...

Page 639: ...etwork Policy Edit Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel click the dial icon in the VPN Rules IKE screen to have the IPSec routers set up the tunnel IP addresses on different subnets Activate the network policy ...

Page 640: ...s Guide 638 Appendix I VPN Setup Figure 45 VPN Rule Configured The following screen displays Figure 46 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel Figure 47 VPN Tunnel Established ...

Page 641: ... routers Check the settings in each field methodically and slowly VPN Log The system log can often help to identify a configuration problem Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends clear the log and then build the tunnel View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24 8 See Appendix Q on page 675...

Page 642: ...6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 11 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Start Phase 2 Quick Mode 12 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 13 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Phase 1 IKE SA process done 14 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC51...

Page 643: ...ll ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec debug level 3 ras ipsec dial 1 get_ipsec_sa_by_policyIndex Start dialing for tunnel rule 1 ikeStartNegotiate saIndex 0 peerIp 5 1 2 3 protocol IPSEC_ESP 3 peer Ip 5 1 2 3 initiator type IPSEC_ESP exch Main initiator protocol IPSEC_ESP exchange mode Main mode find_ipsec_sa find ipsec sa...

Page 644: ...ou were at the office instead of connected through the Internet FTP Example The following example shows a text based login from a branch office computer to an FTP server behind the remote IPSec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 39 on page 633 C Documents and Settings Administrator ftp 192 168 10 33 Connecte...

Page 645: ... Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority import the certificate authority s certificate into your operat...

Page 646: ...pendix J Importing Certificates Figure 51 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 52 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 647: ... Importing Certificates 645 Figure 53 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 54 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 648: ...ZyWALL 35 User s Guide 646 Appendix J Importing Certificates Figure 55 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 56 Root Certificate Store ...

Page 649: ...ds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 650: ... CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 651: ... wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 652: ...icate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 61 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 653: ...ort Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 63 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 654: ...6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 66 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even if...

Page 655: ...ZyWALL 35 User s Guide Appendix J Importing Certificates 653 Figure 67 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 68 ZyWALL Secure Login Screen ...

Page 656: ...ZyWALL 35 User s Guide 654 Appendix J Importing Certificates ...

Page 657: ...nit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of net...

Page 658: ...ZyWALL 35 User s Guide 656 Appendix K Command Interpreter ...

Page 659: ...config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears config display firewall set set rule rule This command...

Page 660: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyWALL is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send alert yes no T...

Page 661: ...h the same destination where the ZyWALL starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp...

Page 662: ... command sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyWALL sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule srcaddr single ip address This command sets the rule to have the ZyWALL check for traffic ...

Page 663: ... a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check for UDP traffic with this destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port T...

Page 664: ...ZyWALL 35 User s Guide 662 Appendix L Firewall Commands ...

Page 665: ...ing of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ and from the DMZ to the WAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate call...

Page 666: ...r dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 1 Between LAN and DMZ 2 Between WAN and DMZ 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and block NetBIOS ...

Page 667: ...ser s Guide Appendix M NetBIOS Filter Commands 665 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls ...

Page 668: ...ZyWALL 35 User s Guide 666 Appendix M NetBIOS Filter Commands ...

Page 669: ... name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the key size It has to be an integer from 512 to 2048 The default is 1024 bits create scep_enroll name CA addr CA cert auth key subje...

Page 670: ...ive name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to copy and paste name specifies the name of the certificate to be exported view name View the information of the specified local host certificate name specifies the name of the certificate to be viewed...

Page 671: ...rusted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies the new name as which the certificate is to be saved crl_issuer name on off Specify whether or not the specified CA issues CRL name specifies the name of the CA certificate on off specifies whether or ...

Page 672: ...rd if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory service name specifies the name of the directory server to be viewed edit name addr port login pswd Edit the specified directory service name specifies the name of the directory server to be edited addr p...

Page 673: ...on on the command structure Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Table 33 Brute Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off t...

Page 674: ...ZyWALL 35 User s Guide 672 Appendix O Brute Force Password Guessing Protection ...

Page 675: ...module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the firmware The ATSH com...

Page 676: ...mon Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATTD d...

Page 677: ...ssful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Conn...

Page 678: ...the max number of session per host This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host setNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings readNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings WAN connection is down A WAN connection is...

Page 679: ...e maximum sessions per host Firewall allowed a packet that matched a NAT session TCP UDP A packet from the WAN TCP or UDP matched a cone NAT session and the device forwarded it to the LAN Table 37 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack the TCP incomplete count is per destination host Exc...

Page 680: ...d set d rule d Attempted access matched a configured filter rule denoted by its set and rule number and was blocked or forwarded according to the rule Table 39 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy ICMP Packet Direction type d code d ICMP access matched the default policy and was blocked or forwarded according to the user s setting Firewall rule NOT match ICMP Packet Direction ...

Page 681: ...The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp IPCP Starting The PPP connection s Internet Protocol Control Protocol stage is starting ppp IPCP Opening The PPP connection s Internet Protocol Control Protocol...

Page 682: ...er is not on according to the time schedule or you didn t select the Block Matched Web Site checkbox the system forwards the web content Waiting content filter server timeout The external content filtering server did not respond within the timeout period DNS resolving failed The ZyWALL cannot get the IP address of the external content filtering via DNS query Creating socket failed The ZyWALL canno...

Page 683: ...lity ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP type d code d The firewall detected an ICMP traceroute attack ports scan UDP The firewall detected a UDP port scan attack Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack ...

Page 684: ...less station associated with the device WLAN STA Association List Full The maximum number of associated wireless clients has been reached WLAN STA Association Again The SSID and time of association were updated for an wireless station that was already associated Table 47 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence n...

Page 685: ...A process done The phase 1 IKE SA process has been completed Duplicate requests with the same cookie The router received multiple requests from the same peer while still processing the first IKE packet from the peer IKE Negotiation is in process The router has already started negotiating with the peer for the connection but the IKE process has not finished yet No proposal chosen Phase 1 or phase 2...

Page 686: ...hase 1 ID contents do not match Configured Peer ID Content Configured Peer ID Content The phase 1 ID contents do not match and the configured Peer ID Content is displayed Incoming ID Content Incoming Peer ID Content The phase 1 ID contents do not match and the incoming packet s ID content is displayed Unsupported local ID Type d The phase 1 ID type is not supported by the router Build Phase 1 ID T...

Page 687: ... Phase 1 hash mismatch The listed rule s IKE phase 1 hash did not match between the router and the peer Rule d Phase 1 preshared key mismatch The listed rule s IKE phase 1 pre shared key did not match between the router and the peer Rule d Tunnel built successfully The listed rule s IPSec tunnel has been built successfully Rule d Peer s public key not found The listed rule s IKE phase 1 peer s pub...

Page 688: ...suer name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer name as recorded from the LDAP server whose address and port are recorded in the Source field Failed to decode the received ca cert The router received a corrupted certification authority certificat...

Page 689: ...tical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not c...

Page 690: ... Database does not support authentication mothed A user tried to use an authentication method that the local user database does not support it only supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the RADIUS server please check the RADIUS server Use Local User Database to authenticate user The local user database is operating as the authentication ...

Page 691: ... was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service a...

Page 692: ... message is sent by the system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the Log Settings screen The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this appendix The devID is the MAC address of the router s LAN port The cat is the same as the c...

Page 693: ...of the log categories Figure 71 Displaying Log Categories Example 3 Use sys logs category followed by a log category to display the parameters that are available for the category KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 55 RFC 2408 ISAKMP Payload Types continued LOG DISPLAY PA...

Page 694: ...vailable with every category 5 Use the sys logs save command to store the settings in the ZyWALL you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyWALL s log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an ind...

Page 695: ... ACCESS BLOCK Firewall default policy IGMP W to W ZW 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W ZW 2 06 08 2004 05 58 20 172 21 0 2 239 255 255 254 ACCESS BLOCK Firewall default policy IGMP W to W ZW 3 06 08 2004 05 58 20 172 21 3 191 224 0 1 22 ACCESS BLOCK Firewall default policy IGMP W to W ZW 4 06 08 2004 05 58 20 172 21 0 254 224 0 0 1 A...

Page 696: ...ZyWALL 35 User s Guide 694 Appendix Q Log Descriptions ...

Page 697: ...Mbps Ethernet DMZ 48 auto negotiation 47 48 AWG 3 B Backup 408 522 Backup WAN 48 Bandwidth Borrowing 327 Bandwidth Class 323 Bandwidth Filter 323 334 Bandwidth Management 49 323 Bandwidth Management Statistics 335 Bandwidth Manager Class Configuration 332 Bandwidth Manager Class Setup 330 Bandwidth Manager Monitor 336 Bandwidth Manager Summary 329 Basement 3 Blocking Time 196 197 198 Bridge Protoc...

Page 698: ...ination Address 179 DHCP 69 89 92 102 348 395 441 DHCP Dynamic Host Configuration Protocol 53 DHCP Ethernet Setup 440 DHCP Table 69 Diagnostic 517 Dial Timeout 431 Diffie Hellman Key Groups 240 DMZ IP Alias 452 IP Alias Setup 453 Port Filter Setup 451 Setup 451 452 TCP IP Setup 452 DNS 371 DNS Server For VPN Host 340 Domain Name 127 305 395 512 DoS Basics 167 Types 168 DoS Denial of Service 50 Dro...

Page 699: ...Maintenance 521 Flow Control 413 Fragmentation Threshold 610 Fragmentation threshold 610 France Contact Information 5 FTP 305 348 351 366 523 547 File Upload 531 GUI based Clients 524 Restoring Files 527 FTP File Transfer 530 FTP Restrictions 351 524 547 FTP Server 54 484 Full Network Management 53 G Gas Pipes 3 Gateway IP Addr 465 Gateway IP Address 448 470 General Setup 395 421 Germany Contact I...

Page 700: ... 230 IPSec architecture 229 IPSec standard 49 IPSec VPN Capability 49 50 ISP Parameters 73 ISP_s Name 448 K Key Fields For Configuring Rules 179 L LAN IP Address 391 393 LAN Port Filter Setup 439 LAN Setup 439 440 LAN TCP IP 89 LAN to WAN Rules 180 LAND 168 169 Lightning 3 Link type 62 64 103 Liquids Corrosive 3 Local 295 Log 513 Log Facility 514 Logging 53 Login Name 448 Login Screen 414 M MAC Ad...

Page 701: ...Minute Low 197 One to One 298 One Minute High 196 Opening 3 Outgoing Protocol Filters 443 Outside 295 P Packet Filtering 51 175 Packet Filtering Firewalls 165 Pairwise Master Key PMK 617 PAP 432 463 Password 396 414 419 448 507 Path cost 100 PCMCIA Port 48 Perfect Forward Secrecy 240 Period hr 432 463 Ping 519 Ping of Death 168 Pipes 3 Point to Point Tunneling Protocol 76 305 Point to Point Tunnel...

Page 702: ... 90 91 435 442 443 466 Direction 443 Version 443 466 Risk 3 Risks 3 RoadRunner Support 53 Roaming 618 Example 619 Requirements 620 Root bridge 100 Root Class 330 Route 461 Routing Policy 317 RTC 541 RTCSee Real Time Chip 48 RTP 628 RTS Request To Send 610 RTS Request To Send threshold 114 RTS Threshold 609 610 RTS CTS handshake 445 Rules 177 180 Checklist 178 Creating Custom 177 Key Fields 179 LAN...

Page 703: ... 169 SYN ACK 168 Syntax Conventions 46 Syslog 188 192 Syslog IP Address 514 System Information 509 511 System Maintenance 509 510 511 512 513 514 517 518 519 522 525 533 534 537 539 540 542 543 System Management Terminal 414 System Name 396 421 System Statistics 67 System Status 509 System Timeout 352 T TCP Maximum Incomplete 196 197 198 TCP Security 173 TCP IP 167 168 365 433 440 441 452 464 498 ...

Page 704: ...229 secure gateway 234 VPN Application 54 228 VPN Status 70 VT100 413 W Wall Mount 3 WAN DHCP 518 519 WAN Setup 128 427 WAN to LAN Rules 180 Warnings 3 Water 3 Water Pipes 3 Web 365 Web Configurator 57 60 166 175 179 492 Web Site 5 Web Site Hits 391 392 WEP Encryption 51 116 121 123 WEP encryption 615 Wet Basement 3 Wireless LAN 49 Wireless LAN MAC Address Filtering 51 Wireless LAN Setup 443 Wizar...