ZyXEL Communications ZyXEL ZyWALL 5, User Manual

Page 1: ...ZyWALL 5 Internet Security Appliance User s Guide Version 3 64 3 2005 ...

Page 2: ......

Page 3: ...EL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to c...

Page 4: ... communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet on...

Page 5: ...ply is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will step on them or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no ele...

Page 6: ... an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of ...

Page 7: ...j 5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL CommunicationsOy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel fr 33 0 4 72 52 97 97 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France 33 0 4 72 52 19 20 GERMANY support zyxel de 49 2405 6909 0 www zyxel de ZyXEL Deutsch...

Page 8: ...EL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 8702 909091 ftp zyxel co uk a is the prefix number you enter to make an international telephone call METHOD LOCATION SUPPORT E MAIL TELEPHONEA WEB SITE REGULAR MAIL SALES E MAIL FAX FTP SITE ...

Page 9: ...ions for the ZyWALL 51 1 3 1 Secure Broadband Internet Access via Cable or DSL Modem 51 1 3 2 VPN Application 52 1 3 3 Front Panel LEDs 53 Chapter 2 Introducing the Web Configurator 55 2 1 Web Configurator Overview 55 2 2 Accessing the ZyWALL Web Configurator 55 2 3 Resetting the ZyWALL 56 2 3 1 Procedure To Use The Reset Button 57 2 3 2 Uploading a Configuration File Via Console Port 57 2 4 Navig...

Page 10: ...3 3 5 VPN Wizard Setup Complete 83 Chapter 4 LAN Screens 85 4 1 LAN Overview 85 4 2 DHCP Setup 85 4 2 1 IP Pool Setup 85 4 3 LAN TCP IP 85 4 3 1 Factory LAN Defaults 85 4 3 2 IP Address and Subnet Mask 86 4 3 3 RIP Setup 86 4 3 4 Multicast 87 4 4 DNS Servers 87 4 5 Configuring LAN 87 4 6 Configuring Static DHCP 89 4 7 Configuring IP Alias 90 4 8 Configuring Port Roles 92 Chapter 5 Bridge Screens 9...

Page 11: ...plication Example 107 6 10 Wireless Client WPA Supplicants 108 6 11 Configuring Wireless LAN 108 6 11 1 Static WEP 110 6 11 2 WPA PSK 111 6 11 3 WPA 113 6 11 4 802 1x Dynamic WEP 114 6 11 5 802 1x Static WEP 115 6 11 6 802 1x No WEP 116 6 11 7 No Access 802 1x Static WEP 117 6 11 8 No Access 802 1x No WEP 119 6 12 Configuring MAC Filter 119 Chapter 7 WAN Screens 121 7 1 WAN Overview 121 7 1 1 WAN ...

Page 12: ...51 9 2 2 Application level Firewalls 151 9 2 3 Stateful Inspection Firewalls 152 9 3 Introduction to ZyXEL s Firewall 152 9 4 Denial of Service 153 9 4 1 Basics 153 9 4 2 Types of DoS Attacks 154 9 4 2 1 ICMP Vulnerability 156 9 4 2 2 Illegal Commands NetBIOS and SMTP 156 9 4 2 3 Traceroute 157 9 5 Stateful Inspection 157 9 5 1 Stateful Inspection Process 158 9 5 2 Stateful Inspection and the ZyWA...

Page 13: ...stom Services 174 10 7 Example Firewall Rule 174 10 8 Predefined Services 178 10 9 Anti Probing 180 10 10 DoS Thresholds 181 10 10 1 Threshold Values 182 10 10 2 Half Open Sessions 182 10 10 2 1 TCP Maximum Incomplete and Blocking Time 182 Chapter 11 Content Filtering Screens 185 11 1 Content Filtering Overview 185 11 1 1 Restrict Web Features 185 11 1 2 Create a Filter List 185 11 1 3 Customize W...

Page 14: ...inology 213 13 1 3 1 Encryption 213 13 1 3 2 Data Confidentiality 214 13 1 3 3 Data Integrity 214 13 1 3 4 Data Origin Authentication 214 13 1 4 VPN Applications 214 13 1 4 1 Linking Two or More Private Networks Together 214 13 1 4 2 Accessing Network Resources When NAT Is Enabled 214 13 1 4 3 Unsupported IP Applications 214 13 2 IPSec Architecture 215 13 2 1 IPSec Algorithms 215 13 2 2 Key Manage...

Page 15: ...cy 239 14 13 Manual VPN Rule Summary Screen 240 14 13 1 Security Parameter Index SPI 242 14 13 2 Editing Manual VPN Rules 242 14 14 Viewing SA Monitor 246 14 15 Configuring Global Setting 246 14 16 Telecommuter VPN IPSec Examples 247 14 16 1 Telecommuters Sharing One VPN Rule Example 248 14 16 2 Telecommuters Using Unique VPN Rules Example 248 14 17 VPN and Remote Management 250 Chapter 15 Certifi...

Page 16: ...erview 281 17 1 1 NAT Definitions 281 17 1 2 What NAT Does 282 17 1 3 How NAT Works 282 17 1 4 NAT Application 283 17 1 5 Port Restricted Cone NAT 284 17 1 6 NAT Mapping Types 284 17 2 Using NAT 285 17 2 1 SUA Single User Account Versus NAT 285 17 3 Configuring NAT Overview 286 17 4 Configuring Address Mapping 287 17 4 1 Address Mapping Edit 288 17 5 Port Forwarding 289 17 5 1 Default Server IP Ad...

Page 17: ... 304 19 8 2 2 Fairness based Allotment of Unused and Unbudgeted Bandwidth 305 19 9 Bandwidth Borrowing 305 19 9 1 Bandwidth Borrowing Example 306 19 9 2 Maximize Bandwidth Usage With Bandwidth Borrowing 306 19 10 Configuring Summary 306 19 11 Configuring Class Setup 308 19 11 1 Bandwidth Manager Class Configuration 309 19 11 2 Bandwidth Management Statistics 312 19 12 Configuring Monitor 313 Chapt...

Page 18: ...entation on the ZyWALL 339 21 7 1 Requirements for Using SSH 340 21 8 Configuring SSH 340 21 9 Secure Telnet Using SSH Examples 341 21 9 1 Example 1 Microsoft Windows 341 21 9 2 Example 2 Linux 341 21 10 Secure FTP Using SSH Example 342 21 11 Telnet 343 21 12 Configuring TELNET 343 21 13 Configuring FTP 344 21 14 Configuring SNMP 345 21 14 1 Supported MIBs 347 21 14 2 SNMP Traps 347 21 14 3 REMOTE...

Page 19: ...Maintenance 371 24 1 Maintenance Overview 371 24 2 General Setup 371 24 2 1 General Setup and System Name 371 24 2 2 Domain Name 371 24 3 Configuring Password 372 24 4 Pre defined NTP Time Servers List 373 24 5 Configuring Time and Date 374 24 5 1 Resetting the Time 376 24 5 2 Time Server Synchronization 376 24 6 Introduction to Transparent Bridging 377 24 7 Transparent Firewalls 378 24 8 Configur...

Page 20: ...p 403 27 3 Dial Backup 404 27 4 Configuring Dial Backup in Menu 2 404 27 5 Advanced WAN Setup 405 27 6 Remote Node Profile Backup ISP 407 27 7 Editing PPP Options 409 27 8 Editing TCP IP Options 409 27 9 Editing Login Script 411 27 10 Remote Node Filter 413 Chapter 28 LAN Setup 415 28 1 Introduction to LAN Setup 415 28 2 Accessing the LAN Menus 415 28 3 LAN Port Filter Setup 415 28 4 TCP IP and DH...

Page 21: ...ed Up Connection 434 31 3 2 3 Metric 434 31 3 3 PPTP Encapsulation 435 31 4 Edit IP 436 31 5 Remote Node Filter 438 31 6 Traffic Redirect 439 Chapter 32 IP Static Route Setup 441 32 1 IP Static Route Setup 441 Chapter 33 Network Address Translation NAT 443 33 1 Using NAT 443 33 1 1 SUA Single User Account Versus NAT 443 33 1 2 Applying NAT 443 33 2 NAT Setup 445 33 2 1 Address Mapping Sets 445 33 ...

Page 22: ...7 35 2 2 Configuring a TCP IP Filter Rule 468 35 2 3 Configuring a Generic Filter Rule 470 35 3 Example Filter 472 35 4 Filter Types and NAT 474 35 5 Firewall Versus Filters 474 35 6 Applying a Filter 475 35 6 1 Applying LAN Filters 475 35 6 2 Applying DMZ Filters 475 35 6 3 Applying Remote Node Filters 476 Chapter 36 SNMP Configuration 477 36 1 SNMP Configuration 477 36 2 SNMP Traps 478 Chapter 3...

Page 23: ...ole Port 499 38 5 Uploading Firmware and Configuration Files 500 38 5 1 Firmware File Upload 500 38 5 2 Configuration File Upload 501 38 5 3 FTP File Upload Command from the DOS Prompt Example 501 38 5 4 FTP Session Example of Firmware File Upload 502 38 5 5 TFTP File Upload 502 38 5 6 TFTP Upload Command Example 503 38 5 7 Uploading Via Console Port 503 38 5 8 Uploading Firmware File Via Console ...

Page 24: ... 524 42 4 Problems with the WAN Interface 524 42 5 Problems with Internet Access 525 42 6 Problems with Remote Management 525 42 7 Problems Accessing the ZyWALL 525 42 7 1 Pop up Windows JavaScripts and Java Permissions 526 42 7 1 1 Internet Explorer Pop up Blockers 527 42 7 1 2 JavaScripts 530 42 7 1 3 Java Permissions 532 Appendix A Product Specifications 535 Appendix B Setting up Your Computer ...

Page 25: ...porting Certificates 607 Appendix K Command Interpreter 619 Appendix L Firewall Commands 621 Appendix M NetBIOS Filter Commands 627 Appendix N Certificates Commands 631 Appendix O Brute Force Password Guessing Protection 635 Appendix P Boot Commands 637 Appendix Q Log Descriptions 639 Index 659 ...

Page 26: ...ZyWALL 5 User s Guide 24 ...

Page 27: ...on 73 Figure 15 Internet Access Wizard Setup Complete 74 Figure 16 VPN Wizard Gateway Setting 75 Figure 17 VPN Wizard Network Setting 76 Figure 18 VPN Wizard IKE Tunnel Setting 78 Figure 19 VPN Wizard IPSec Setting 79 Figure 20 VPN Wizard VPN Status 81 Figure 21 VPN Wizard Setup Complete 83 Figure 22 LAN 88 Figure 23 Static DHCP 90 Figure 24 Physical Network Partitioned Logical Networks 91 Figure ...

Page 28: ...ress Example 148 Figure 56 Port Roles 149 Figure 57 Port Roles Change Complete 149 Figure 58 ZyWALL Firewall Application 153 Figure 59 Three Way Handshake 154 Figure 60 SYN Flood 155 Figure 61 Smurf Attack 156 Figure 62 Stateful Inspection 158 Figure 63 LAN to WAN Traffic 166 Figure 64 WAN to LAN Traffic 167 Figure 65 Default Rule Router Mode 168 Figure 66 Default Rule Bridge Mode 169 Figure 67 Ru...

Page 29: ...Global Report Screen Example 212 Figure 100 Requested URLs Example 212 Figure 101 Encryption and Decryption 214 Figure 102 IPSec Architecture 215 Figure 103 Transport and Tunnel Mode IPSec Encapsulation 216 Figure 104 NAT Router Between IPSec Routers 222 Figure 105 Two Phases to Set Up the IPSec SA 224 Figure 106 Gateway and Network Policies 228 Figure 107 IPSec Summary Fields 228 Figure 108 VPN R...

Page 30: ...Translation Example 292 Figure 143 Port Forwarding 293 Figure 144 Trigger Port Forwarding Process Example 294 Figure 145 Port Triggering 295 Figure 146 Example of Static Routing Topology 297 Figure 147 IP Static Route 298 Figure 148 Edit IP Static Route 299 Figure 149 Subnet based Bandwidth Management Example 302 Figure 150 Bandwidth Manager Summary 307 Figure 151 Bandwidth Manager Class Setup 308...

Page 31: ...184 DNS 349 Figure 185 Configuring UPnP 352 Figure 186 UPnP Ports 353 Figure 187 View Log 362 Figure 188 Log Settings 364 Figure 189 Reports 367 Figure 190 Web Site Hits Report Example 368 Figure 191 Protocol Port Report Example 369 Figure 192 LAN IP Address Report Example 370 Figure 193 General Setup 372 Figure 194 Password Setup 373 Figure 195 Time and Date 374 Figure 196 Synchronization in Proc...

Page 32: ... LAN Setup 415 Figure 230 Menu 3 1 LAN Port Filter Setup 416 Figure 231 Menu 3 TCP IP and DHCP Setup 416 Figure 232 Menu 3 2 TCP IP and DHCP Ethernet Setup 417 Figure 233 Menu 3 2 1 IP Alias Setup 419 Figure 234 Menu 3 5 Wireless LAN Setup 420 Figure 235 Menu 3 5 1 WLAN MAC Address Filter 422 Figure 236 Menu 4 Internet Access Setup Ethernet 423 Figure 237 Internet Access Setup PPTP 425 Figure 238 ...

Page 33: ...Menu 11 1 2 455 Figure 270 Example 3 Menu 15 1 1 1 455 Figure 271 Example 3 Final Menu 15 1 1 456 Figure 272 Example 3 Menu 15 2 457 Figure 273 NAT Example 4 457 Figure 274 Example 4 Menu 15 1 1 1 Address Mapping Rule 458 Figure 275 Example 4 Menu 15 1 1 Address Mapping Rules 458 Figure 276 Menu 15 3 Trigger Port Setup 460 Figure 277 Menu 21 Filter and Firewall Setup 461 Figure 278 Menu 21 2 Firew...

Page 34: ...tore Using FTP Session Example 499 Figure 313 System Maintenance Restore Configuration 499 Figure 314 System Maintenance Starting Xmodem Download Screen 499 Figure 315 Restore Configuration Example 500 Figure 316 Successful Restoration Confirmation Screen 500 Figure 317 Telnet Into Menu 24 7 1 Upload System Firmware 501 Figure 318 Telnet Into Menu 24 7 2 System Maintenance 501 Figure 319 FTP Sessi...

Page 35: ...IP Properties 549 Figure 12 Windows XP Advanced TCP IP Properties 550 Figure 13 Windows XP Internet Protocol TCP IP Properties 551 Figure 14 Macintosh OS 8 9 Apple Menu 552 Figure 15 Macintosh OS 8 9 TCP IP 552 Figure 16 Macintosh OS X Apple Menu 553 Figure 17 Macintosh OS X Network 554 Figure 18 Single Computer per Router Hardware Configuration 564 Figure 19 ZyWALL as a PPPoE Client 564 Figure 20...

Page 36: ...1 609 Figure 54 Certificate Import Wizard 2 609 Figure 55 Certificate Import Wizard 3 610 Figure 56 Root Certificate Store 610 Figure 57 Certificate General Information after Import 611 Figure 58 ZyWALL Trusted CA Screen 612 Figure 59 CA Certificate Example 613 Figure 60 Personal Certificate Import Wizard 1 614 Figure 61 Personal Certificate Import Wizard 2 614 Figure 62 Personal Certificate Impor...

Page 37: ...rd IKE Tunnel Setting 78 Table 15 VPN Wizard IPSec Setting 79 Table 16 VPN Wizard VPN Status 81 Table 17 LAN 88 Table 18 Static DHCP 90 Table 19 IP Alias 92 Table 20 STP Path Costs 96 Table 21 STP Port States 97 Table 22 Bridge 98 Table 23 Wireless Security Relational Matrix 102 Table 24 Wireless No Security 109 Table 25 Wireless Static WEP 111 Table 26 Wireless WPA PSK 112 Table 27 Wireless WPA 1...

Page 38: ...ilter Categories 189 Table 58 Content Filter Customization 196 Table 59 Content Filter Cache 199 Table 60 myZyXEL com Numbers 202 Table 61 VPN and NAT 217 Table 62 ESP and AH 220 Table 63 Local ID Type and Content Fields 223 Table 64 Peer ID Type and Content Fields 223 Table 65 Matching ID Type and Content Configuration Example 223 Table 66 Mismatching ID Type and Content Configuration Example 224...

Page 39: ...tatic Route 299 Table 101 Application and Subnet based Bandwidth Management Example 302 Table 102 Maximize Bandwidth Usage Example 304 Table 103 Priority based Allotment of Unused and Unbudgeted Bandwidth Example 304 Table 104 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example 305 Table 105 Bandwidth Borrowing Example 306 Table 106 Bandwidth Manager Summary 307 Table 107 Bandwidth...

Page 40: ...able 146 SMT Menus Overview 393 Table 147 Menu 1 General Setup Router Mode 397 Table 148 Menu 1 General Setup Bridge Mode 398 Table 149 Menu 1 1 Configure Dynamic DNS 399 Table 150 Menu 1 1 1 DDNS Host Summary 400 Table 151 Menu 1 1 1 DDNS Edit Host 401 Table 152 MAC Address Cloning in WAN Setup 404 Table 153 Menu 2 Dial Backup Setup 405 Table 154 Advanced WAN Port Setup AT Commands Fields 406 Tab...

Page 41: ...Generic Filter Rule Menu Fields 471 Table 184 SNMP Configuration Menu Fields 477 Table 185 SNMP Traps 478 Table 186 System Maintenance Status Menu Fields 480 Table 187 Fields in System Maintenance Information 482 Table 188 System Maintenance Menu Syslog Parameters 484 Table 189 System Maintenance Menu Diagnostic 489 Table 190 Filename Conventions 492 Table 191 General Commands for GUI based FTP Cl...

Page 42: ...Table 19 Subnet 1 559 Table 20 Subnet 2 559 Table 21 Subnet 3 559 Table 22 Subnet 4 560 Table 23 Eight Subnets 560 Table 24 Class C Subnet Planning 560 Table 25 Class B Subnet Planning 561 Table 26 IEEE802 11g 575 Table 27 Comparison of EAP Authentication Types 581 Table 28 Wireless Security Relational Matrix 582 Table 29 SIP Call Progression 589 Table 30 Firewall Commands 621 Table 31 NetBIOS Fil...

Page 43: ...ble 48 IKE Logs 647 Table 49 PKI Logs 650 Table 50 Certificate Path Verification Failure Reason Codes 651 Table 51 802 1X Logs 651 Table 52 ACL Setting Notes 652 Table 53 ICMP Notes 653 Table 54 Syslog Logs 654 Table 55 RFC 2408 ISAKMP Payload Types 654 ...

Page 44: ...ZyWALL 5 User s Guide 42 ...

Page 45: ...onfigure your ZyWALL Not all features can be configured through all interfaces Related Documentation Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and conf...

Page 46: ...e Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in oth...

Page 47: ...ides bandwidth management NAT port forwarding DHCP server and many other powerful features The PCMCIA CardBus slot allows you to add a 802 11b g compliant wireless LAN The ZyWALL offers highly secured wireless connectivity to your wired network with IEEE 802 1x WEP data encryption WPA Wi Fi Protected Access and MAC address filtering 1 2 ZyWALL Features The following sections describe ZyWALL featur...

Page 48: ...x or full duplex mode depending on your Ethernet network The ports are also auto crossover MDI MDI X meaning they automatically adjust to either a crossover or straight through Ethernet cable Dial Backup WAN The dial backup port can be used in reserve as a traditional dial up connection when if ever the WAN and traffic redirect connections fail Time and Date The ZyWALL allows you to get the curren...

Page 49: ...etwork Bandwidth Management Bandwidth management allows you to allocate network resources according to defined policies This policy based bandwidth allocation helps your network to better handle real time applications such as Voice over IP VoIP IPSec VPN Capability Establish a Virtual Private Network VPN to connect with business partners and branch offices using data encryption and the Internet to...

Page 50: ...lude a range of users on the LAN from content filtering You can also subscribe to category based content filtering that allows your ZyWALL to check web sites against an external database of dynamically updated ratings of millions of web sites Universal Plug and Play UPnP Using the standard TCP IP protocol the ZyWALL and other UPnP enabled devices can dynamically join a network obtain an IP address...

Page 51: ...PTP Encapsulation Point to Point Tunneling Protocol PPTP is a network protocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using a TCP IP based network PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The ZyWALL supports one PPTP server connection at any given tim...

Page 52: ... Translation NAT allows the translation of an Internet protocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL cannot connect to the Internet thus a...

Page 53: ...ervice Logging and Tracing Built in message logging and packet tracing Unix syslog facility support Firewall logs Content filtering logs Upgrade ZyWALL Firmware via LAN The firmware of the ZyWALL can be upgraded via the LAN Embedded FTP and TFTP Servers The ZyWALL s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration 1 3 Applications fo...

Page 54: ...yWALL Figure 1 Secure Internet Access via Cable DSL or Wireless Modem 1 3 2 VPN Application ZyWALL VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for leased lines between sites ...

Page 55: ... 2 VPN Application 1 3 3 Front Panel LEDs Figure 3 ZyWALL Front Panel The following table describes the LEDs Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is turned on Red On The power to the ZyWALL is too low ...

Page 56: ...WAN 10 100 Off The WAN connection is not ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The 100M WAN is sending or receiving packets LAN DMZ 10 100 Off The LAN DMZ is not connected Green On The ZyWALL has a successful 10Mbps Ethernet connection ...

Page 57: ...ndows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troubleshooting chapter if you want to make sure these functions are allowed in Internet Explorer 2 2 Accessing the ZyWALL Web Configurator 1 Make sure your ZyWALL hardware is properly connected and prepare your computer computer network to connect to the ZyWALL refer to the Quick Start Guide 2 La...

Page 58: ...out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyWALL if this happens to you 2 3 Resetting the ZyWALL If you forget your password or cannot access the web configurator you will need to reload the factory default configuration file or use the RESET button on the back of the ZyWALL Uploading this configuration file repla...

Page 59: ...t for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site unzip it and save it in a folder 2 Turn off the ZyWALL begin a terminal emulation software session and turn on the ZyWALL again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode 3 En...

Page 60: ...lick the icon located in the top right corner of most screens to view online help The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen 2 4 1 Router Mode The following screen displays when the ZyWALL is set to router mode The ZyWALL is set to router mode by default Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL featur...

Page 61: ...WALL is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewall The second number shows the ZyWALL s total heap memory in kilobytes The bar displays what percent of the ZyWALL s heap memory is in use The bar turns from green to red when the maximum is being approached Sessions The firs...

Page 62: ...on page 163 for details on configuring the firewall Subnet Mask This shows the port s subnet mask DHCP This shows the WAN port s DHCP role Client or None This shows the LAN port s DHCP role Server Relay or None Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP click Renew to release the WAN port s dynamically assigned IP a...

Page 63: ...is the IP subnet mask of the ZyWALL Gateway IP Address This is the gateway IP address Rapid Spanning Tree Protocol This shows whether RSTP Rapid Spanning Tree Protocol is active or not The following labels or values relative to RSTP do not apply when RSTP is disabled Bridge Priority This is the bridge priority of the ZyWALL Bridge Hello Time This is the interval of BPDUs Bridge Protocol Data Units...

Page 64: ...STP Active This shows whether or not RSTP is active on the corresponding port RSTP Priority This is the RSTP priority of the corresponding port RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each por...

Page 65: ...Wireless Use this screen to configure the wireless LAN settings and WLAN authentication security settings MAC Filter Use this screen to change MAC filter settings on the ZyWALL WAN Route This screen allows you to configure route priority and traffic redirect properties WAN Use this screen to configure ZyWALL WAN port for internet access Traffic Redirect Use this screen to configure your traffic re...

Page 66: ...longing to the trusted remote hosts Directory Servers Use this screen to view and manage the list of the directory servers AUTH SERVER Local User Database Use this screen to configure the local user account s on the ZyWALL RADIUS Configure this screen to use an external server to authenticate wireless and or VPN users NAT NAT Overview Use this screen to enable NAT Address Mapping Use this screen t...

Page 67: ... which IP address es users can send DNS queries to the ZyWALL UPnP UPnP Use this screen to enable UPnP on the ZyWALL Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL LOGS View Log Use this screen to view the logs for the categories that you selected Log Settings Use this screen to change your ZyWALL s log settings Reports Use this screen to have the ZyWALL r...

Page 68: ... MAC Address of all network clients using the ZyWALL s DHCP server Table 6 Home Show Statistics LABEL DESCRIPTION Port This is the WAN Dial Backup LAN DMZ or WLAN port Status This displays the port speed and duplex setting if you re using Ethernet encapsulation and Down line is down Idle line ppp idle Dial starting to trigger a call or Drop dropping a call if you re using PPPoE encapsulation TxPkt...

Page 69: ...Host Name This field displays the computer host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory This address follows an industry standard that ensures no other adapter has a similar ad...

Page 70: ...ion name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Poll Interval s Enter the time interval for refreshing statistics in this field Set Interval Click this button to apply the new poll interval you ent...

Page 71: ...et access wizard screen has three variations depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information 3 2 1 ISP Parameters The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE The wizard screen varies according to the type of encapsulation that you se...

Page 72: ...is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field M...

Page 73: ...existing Microsoft Dial Up Networking experience and requires no new learning or procedures Refer to Appendix D on page 563 for more information on PPPoE Figure 13 ISP Parameters PPPoE Encapsulation First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS ...

Page 74: ...User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds W...

Page 75: ...PTP client you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type t...

Page 76: ... My ISP This field is optional and depends on the requirements of your xDSL modem WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field First...

Page 77: ...y Property Name Type up to 32 characters to identify this VPN gateway policy You may use any character including spaces but the ZyWALL drops trailing spaces My ZyWALL Enter the WAN IP address or domain name of your ZyWALL The ZyWALL uses its current WAN IP address static or dynamic in setting up the VPN tunnel if you leave this field as 0 0 0 0 The VPN tunnel has to be rebuilt if this IP address c...

Page 78: ...rty Active If the Active check box is selected packets for the tunnel trigger the ZyWALL to build the tunnel Clear the Active check box to turn the network policy off The ZyWALL does not apply the policy Packets for the tunnel do not trigger the tunnel Name Type up to 32 characters to identify this VPN network policy You may use any character including spaces but the ZyWALL drops trailing spaces N...

Page 79: ...elect Single for a single IP address Select Range IP for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask Starting IP Address When the Remote Network field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Network field is configured to Range IP enter the beginning static IP addres...

Page 80: ...quires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA ...

Page 81: ... with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Back Click Back to return...

Page 82: ...Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field The minimum value is 180 seconds A short SA Life Time in...

Page 83: ... screen Table 16 VPN Wizard VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router ...

Page 84: ...e IPSec router IKE Tunnel Setting IKE Phase 1 Negotiation Mode This shows Main Mode or Aggressive Mode Multiple SAs connecting through a secure gateway must have the same negotiation mode Encryption Algorithm This is the method of data encryption Options can be DES 3DES or AES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate pack...

Page 85: ...tions You have successfully set up the VPN rule after any existing rule s for your ZyWALL Figure 21 VPN Wizard Setup Complete Back Click Back to return to the previous screen Finish Click Finish to complete and save the wizard setup Table 16 VPN Wizard VPN Status continued LABEL DESCRIPTION ...

Page 86: ...ZyWALL 5 User s Guide 84 Chapter 3 Wizard Setup ...

Page 87: ...it When configured as a server the ZyWALL provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else the computer must be manually configured 4 2 1 IP Pool Setup The ZyWALL is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addr...

Page 88: ...54 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyWALL but make sure that no other device on your networ...

Page 89: ...till in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for ...

Page 90: ... set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends...

Page 91: ...guous addresses in the IP address pool Pool Size This field specifies the size or count of the IP address pool DHCP Server Address If Relay is selected in the DHCP field above then type the IP address of the actual remote DHCP server here Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with...

Page 92: ...into different logical networks over the same Ethernet interface The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network Table 18 Static DHCP LABEL DESCRIPTION This is the index number of the static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address Type ...

Page 93: ...N s logical networks subnets Note Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 24 Physical Network Partitioned Logical Networks To change your ZyWALL s IP alias settings click LAN then the IP Alias tab The screen appears as shown Figure 25 IP Alias ...

Page 94: ...ted by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it...

Page 95: ... Screens 93 Figure 26 Port Roles After you change the LAN DMZ port roles and click Apply please wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 27 Port Roles Change Complete ...

Page 96: ...ZyWALL 5 User s Guide 94 Chapter 4 LAN Screens ...

Page 97: ...mple shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 28 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of th...

Page 98: ...rt on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 5 2 3 How STP Works After a bridge determines the lowest cost spanning tree with ...

Page 99: ...A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops 5 3 Configuring Bridge Select Bridge and click Apply in the MAINTENANCE Device Mode screen to have the ZyWALL function as a bridge To change your ZyWALL s bridge settings click BRIDGE The screen appears as shown Table 21 STP Port States PORT STATE DESCRIPTION Disabled STP is disab...

Page 100: ...P Address Enter the gateway IP address First Second Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for content filter...

Page 101: ...n seconds that the root bridge waits before sending a hello packet Bridge Max Age Enter an interval between 6 and 40 in seconds that a bridge waits to get a Hello BPDU from the root bridge Forward Delay Enter the length of time between 4 and 30 in seconds that a bridge remains in the listening and learning port states The default is 15 seconds Bridge Port This is the bridge port type Port types ar...

Page 102: ...ZyWALL 5 User s Guide 100 Chapter 5 Bridge Screens ...

Page 103: ...computer with an IEEE 802 11b wireless LAN card A computer equipped with a web browser with JavaScript enabled and or Telnet A wireless station must be running IEEE 802 1x compliant software Currently this is offered in Windows XP An optional network RADIUS server for remote user authentication and accounting 6 2 Wireless Security Wireless security is vital to your network to protect wireless comm...

Page 104: ...hould configure for each Authentication Method key management protocol type You enter manual keys by first selecting 64 bit WEP or 128 bit WEP from the WEP Encryption field and then typing the keys in ASCII or hexadecimal format in the key text boxes MAC address filters are not dependent on how you configure these security features Table 23 Wireless Security Relational Matrix AUTHENTICATION METHOD...

Page 105: ...cate up to 32 users or an external RADIUS server for an unlimited number of users 6 5 1 Introduction to RADIUS RADIUS is based on a client sever model that supports authentication and accounting where access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of...

Page 106: ...etwork security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access 6 5 2 EAP Authentication Overview EAP Extensible Authentication Protocol is an authentication protocol that runs on top of...

Page 107: ... out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic WEP is enabled To use Dynamic WEP enable and configure Dynamic WEP Key Exchange in the Wireles...

Page 108: ...es the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in th...

Page 109: ...tion 6 9 WPA with RADIUS Application Example You need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user...

Page 110: ...AEGIS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it 6 11 Configuring Wireless LAN Note If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL s ESSID or WEP settings you will lose your wireless connection when you press A...

Page 111: ...WLAN security features each card supports and how to install a WLAN card ESSID Extended Service Set IDentity The ESSID identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same ESSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Hide ESSID Select to hide the ESSID in the o...

Page 112: ...e default value and enter a value between 256 and 2432 Security Choose from one of the security settings listed in the drop down box No Security Static WEP WPA PSK WPA 802 1x Dynamic WEP 802 1x Static WEP 802 1x No WEP No Access 802 1x Static WEP No Access 802 1x No WEP Select No Security to allow wireless stations to communicate with the access points without any data encryption Otherwise select ...

Page 113: ...28 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key There are four data encryption key...

Page 114: ...between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed WPA...

Page 115: ...as priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed Authentication Databases Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server WPA Group ...

Page 116: ...le 28 Wireless 802 1x Dynamic WEP LABEL DESCRIPTION Security Select 802 1x Dynamic WEP from the drop down list ReAuthentication Timer Seconds Specify how often wireless stations have to reenter usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS...

Page 117: ... list of users and passwords Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server Dynamic WEP Key Exchange Select 64 bit WEP or 128 bit WEP to enable data encryption Up to 32 stations can access the ZyWALL when you configure dynamic WEP key exchange Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configur...

Page 118: ...data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations ReAuthenticati on Timer Seconds Specify how often wireless stations have to reenter usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds If wireles...

Page 119: ...er to stay connected Enter a time interval between 10 and 9999 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before...

Page 120: ...etwork Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key There...

Page 121: ...lusive access to specific devices Allow Association or exclude specific devices from accessing the ZyWALL Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC addresses of the devices to configure this screen To change...

Page 122: ...he filter action for the list of MAC addresses in the MAC address filter table Select Deny to block access to the router MAC addresses not listed will be allowed to access the router Select Allow to permit access to the router MAC addresses not listed will be denied access to the router This is the index number of the MAC address User Name Enter a descriptive name for the MAC address MAC Address E...

Page 123: ...If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the...

Page 124: ...is down The smaller the number the lower the cost 1 The metric sets the priority for the ZyWALL s routes to the Internet Each route must have a unique metric 2 The priorities of the WAN port routes must always be higher than the dial backup and traffic redirect route priorities For example if the WAN port route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup rout...

Page 125: ...BIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls Allow between WAN and LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the defau...

Page 126: ... screen differs by the encapsulation Note The warning message Warning No NAT rule configured in system appears in the status bar when NAT is set to use Full Feature address mapping rules but there are no NAT address mapping rules configured 7 4 1 Ethernet Encapsulation The screen shown next is for Ethernet encapsulation Figure 44 WAN Ethernet Encapsulation ...

Page 127: ...lia com Relogin Every min Telia Login only The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 default for the ZyWALL to wait between logins WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address This is the default selection Use Fixed IP Address Select this opt...

Page 128: ...y default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establish memb...

Page 129: ...are can activate and therefore requires no new learning or procedures for Windows users One of the benefits of PPPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carri...

Page 130: ...ZyWALL 5 User s Guide 128 Chapter 7 WAN Screens Figure 45 WAN PPPoE Encapsulation ...

Page 131: ...ser name above Retype to Confirm Type your password again to make sure that you have entered is correctly Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did ...

Page 132: ...also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establis...

Page 133: ...hat enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The screen shown next is for PPTP encapsulation Figure 46 WAN PPTP Encapsulation ...

Page 134: ...ss Type the static IP address assigned to you by your ISP My IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL Server IP Address Type the IP address of the PPTP server Connection ID Name Type your identification name for the PPTP server WAN IP Address Assi...

Page 135: ... also By default the RIP Version field is set to RIP 1 Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a session layer protocol used to establi...

Page 136: ...n page 585 when the backup gateway is connected to the LAN or DMZ Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LA...

Page 137: ...field to test your ZyWALL s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address Fail Tolerance Type how many WAN connection checks can fail 1 to 10 before the connection is considered down not connected The ZyWALL still checks a down connection to detect if it reconnects Period The ZyWALL tests a WAN connection by periodically sending a pin...

Page 138: ...ZyWALL 5 User s Guide 136 Chapter 7 WAN Screens Figure 50 Dial Backup Setup ...

Page 139: ... manual of your WAN device connected to your Dial Backup port for specific AT commands Advanced Modem Setup Click Edit to display the Advanced Setup screen and edit the details of your dial backup setup TCP IP Options Get IP Address Automatically from Remote Server Type the login name assigned by your ISP for this remote node Used Fixed IP Address Select this check box if your ISP assigned you a f...

Page 140: ...Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Select IGMP v1 or IGMP v2 IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see s...

Page 141: ...the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH 7 8 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation o...

Page 142: ...me Answer Type the AT Command string to answer a call Drop DTR When Hang Up Select this check box to have the ZyWALL drop the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string This lets the ZyWALL capture the CLID in the AT response string that comes from...

Page 143: ...rying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Type the number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Type a number of seconds for the ZyWALL to wait between dropping a callback request call and dialing the corresponding callback cal...

Page 144: ...ZyWALL 5 User s Guide 142 Chapter 7 WAN Screens ...

Page 145: ... to the DMZ port It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 8 2 Configuring DMZ The DMZ port and the computers connected to it can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate...

Page 146: ...th In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP ...

Page 147: ...rk layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Windows Networking NetBIOS over TCP IP A...

Page 148: ... subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None...

Page 149: ... the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting ...

Page 150: ...parate subnets Configure both DMZ and DMZ IP alias to use this kind of network setup You also need to configure NAT for the private DMZ IP addresses Figure 55 DMZ Private and Public Address Example 8 6 Configuring Port Roles To configure a LAN DMZ port as a LAN or DMZ port select its radio button next to LAN or DMZ and click Apply Otherwise click Reset to restore the previous configuration The rad...

Page 151: ...Port Roles The screen appears as shown Figure 56 Port Roles After you change the LAN DMZ port roles and click Apply please wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 57 Port Roles Change Complete ...

Page 152: ...ZyWALL 5 User s Guide 150 Chapter 8 DMZ Screens ...

Page 153: ...all to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 9 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 9 2 1 Packet Filteri...

Page 154: ...me proxies support See Section 9 5 on page 157 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 9 3 Introduction to ZyXEL s Firewall The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the web co...

Page 155: ...extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For examp...

Page 156: ...gment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot Weaknesses in the TCP IP spe...

Page 157: ...target system tries to respond to itself A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of ...

Page 158: ...wing ICMP types trigger an alert 9 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 45 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 46 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Page 159: ...allowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 9 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering is...

Page 160: ... information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then the setting in the Firewall Default Rule screen determines the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entr...

Page 161: ...ules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test chang...

Page 162: ...ituation exists for ICMP except that the ZyWALL is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too little...

Page 163: ...ith specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the firewall in a secured locked room 9 7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL s filtering and firewall functions 9 7 1 Packet Filtering The router filters packets as they pass t...

Page 164: ...rk session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 9 7 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better c...

Page 165: ...or firewall CLI commands 10 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyWALL s stateful packet inspection allows packets traveling in the following directions LAN to LAN ZyWALL This allows computers on the LAN to manage the ZyWALL and communicate between...

Page 166: ...ic hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyWALL s default rules 10 3...

Page 167: ... existing rules Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens 10 3 3 Key Fields For Configuring Rules 10 3 3 1 Action Should the action be to Block or Forward Note Block means the firewall silently discards the packet 10 3 3 2 Service Select the service from the Service scrolling list box ...

Page 168: ...d DMZ to DMZ ZyWALL polices apply in the same way to the WAN and DMZ ports 10 4 1 LAN To WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure a LAN to WAN rule you in essence want to limit some or all users from accessing certain services on the WAN See the following figure Figure 63 LAN to WAN Traffic 10 4 2...

Page 169: ... when a rule is matched in the Edit Rule screen see Figure 68 on page 172 Configure the Log Settings screen to have the ZyWALL send an immediate e mail message to you when an event generates an alert Refer to the chapter on logs for details 10 6 Configuring Firewall Click FIREWALL to open the Default Rule screen Enable or activate the firewall by selecting the Enable Firewall check box as seen in ...

Page 170: ...AN ZyWALL LAN to WAN LAN to DMZ WAN to LAN WAN to WAN ZyWALL WAN to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyWALL or the ZyWALL itself Default Action U...

Page 171: ...N to DMZ DMZ to LAN DMZ to WAN or DMZ to DMZ ZyWALL Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN ZyWALL means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyWALL or the ZyWALL itself Action Use the drop down list boxes to select whether to Block silently discard...

Page 172: ...to LAN WAN to DMZ DMZ to DMZ ZyWALL DMZ to LAN or DMZ to WAN for which you want to configure firewall rules Default Policy This field displays the default action and log policy you selected in the Default Rule screen for the packet direction shown in the field above The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction ...

Page 173: ...irewall silently discards the packet Schedule This field tells you whether a schedule is specified Yes or not No Log This field shows you whether a log is created when packets match this rule Enabled or not Disable Alert This field tells you whether this rule generates an alert Yes or not No when the rule is matched Modify Click the edit icon to go to the screen where you can edit the rule Click t...

Page 174: ...ZyWALL 5 User s Guide 172 Chapter 10 Firewall Screens Figure 68 Creating Editing A Firewall Rule ...

Page 175: ... available Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Custom Service Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custom...

Page 176: ...e Firewall Rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 51 Creating Editing A Firewall Rule LABEL DESCRIPTION Table 52 Creating Editing A Custom Service LABEL DESCRIPTION Service Name Enter a unique n...

Page 177: ... 2 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen 4 Select Any in the Destination Address box and then click Delete 5 Configure the destination address screen as follows and click Add ...

Page 178: ...gure it as follows and click Apply Figure 72 Edit Custom Service Example 7 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom service ...

Page 179: ...ZyWALL 5 User s Guide Chapter 10 Firewall Screens 177 Figure 73 My Service Rule Configuration ...

Page 180: ...efines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services may also be configured using the Custom Services function discussed previously Table 53 Predefined Services SERVICE DESCRIPTION AIM New ICQ TCP 5190 AOL s Internet Messenger service used as a listening port b...

Page 181: ...0 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts NetBIOS TCP UDP 137 139 45 NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent fil...

Page 182: ...25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes...

Page 183: ...h incoming LAN and WAN and DMZ Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWALL will not respond to port request s for unused ports thus leaving the unused ports and the ZyWALL unseen By default this option is not selected and the ZyWALL will reply with a...

Page 184: ...bsolute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring The ZyWALL measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of existing half open sessions ...

Page 185: ...nection requests to the host giving the server time to handle the present connections The ZyWALL continues to block all new connection requests until the Blocking Time expires The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click the FIREWALL link and then the Threshold tab to bring up t...

Page 186: ...onnection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the ZyWALL to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions with the number of existing half open sessions drop...

Page 187: ...1 2 Create a Filter List You can select categories such as pornography or racial intolerance to block from a pre defined list 11 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 11 2 General Content...

Page 188: ...estrict a feature When you download a page containing a restricted feature that part of the web page will appear blank or grayed out Block ActiveX ActiveX is a tool for building dynamic and active web pages and distributed object applications When you visit an ActiveX web site ActiveX controls are downloaded to your browser where they remain in case you visit the site again Java Java is a programm...

Page 189: ...hich to send the user when the ZyWALL s content filtering blocks access to a web site Type up to 128 characters The web page that you specify displays in the lower part of the screen The denied access message displays in the top of the screen If you do not specify a redirect URL only the denied access message displays and the lower part of the screen is blank Exempt Computers Enforce content filte...

Page 190: ...ell as view those web site addresses see Section 11 7 on page 199 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 3 If the ZyWALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or categ...

Page 191: ...to find to which category a requested web page belongs The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page Matched Web Pages Select Block to prevent users from accessing web pages that match the categories that you select below When external database content filtering blocks access to a web page it displays the denied access message tha...

Page 192: ...uested web page based on the setting in the Block When Content Filter Server Is Unavailable field Select Categories Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages that contain material of adult nature that ...

Page 193: ...n the basis of race religion gender nationality ethnic origin or other characteristics Weapons Selecting this category excludes pages that sell review or describe weapons such as guns knives or martial arts devices or provide information on their use accessories or other modifications It does not include pages that promote collecting weapons or groups that either support or oppose weapons use Abor...

Page 194: ...services such as taxation and emergency services It also includes pages that discuss or explain laws of various governmental entities Military Selecting this category excludes pages that promote or provide information on military branches or armed services Political Activist Groups Selecting this category excludes pages sponsored by or which provide information on political parties special interes...

Page 195: ...that can be classified in other categories such as vehicles or weapons Auctions Selecting this category excludes pages that support the offering and purchasing of goods between individuals This does not include classified advertisements Real Estate Selecting this category excludes pages that provide information on renting buying or selling real estate or properties Society Lifestyle Selecting this...

Page 196: ...g this category excludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter currently blocks any given web page Enter a web site URL in the ...

Page 197: ...e You can use a trial application or register your iCard s PIN Refer to the web site s on line help for details Note The web site displays a registration successful web page It may take up to another ten minutes for content filtering to be activated See Section 12 7 on page 210 for how to check the content filtering activation You can manage your registration status or view content filtering repor...

Page 198: ...ble Web site customization Select this check box to allow trusted web sites and block forbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the mos...

Page 199: ...er up to 32 entries Add Forbidden Web Site Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do not include http All subdomains are allowed For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Forbidden Web Sites This list displays the forbidden web sites already added Add Click thi...

Page 200: ...hes for keywords within www zyxel com tw 11 6 2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL For example with the URL www zyxel com tw news pressroom php full path URL checking searches for keywords within www zyxel com tw news Use the ip urlfilter customize actionFlags 6 disable enable command to extend or not extend ...

Page 201: ... sites not found in the cache You can also remove individual entries from the cache When you do this the ZyWALL queries the external content filtering database the next time someone tries to access that web site This allows you to check whether a web site s category has been changed Figure 81 Content Filter Cache The following table describes the labels in this screen Table 59 Content Filter Cache...

Page 202: ...heading to sort the entries Point the triangle up to display the blocked URLs before the URLs to which access was allowed Point the triangle down to display the URLs to which access was allowed before the blocked URLs URL This is a web site s address that the ZyWALL previously checked with the external content filtering database Remaining Time hour This is the number of hours left before the URL e...

Page 203: ...er on the rear side of your device identify it You need to register separately for each device on which you wish to enable content filtering When registering you need to enter a PIN see your iCard Be sure to buy the correct iCard for your device If you wish to try content filtering before buying an iCard then fill in the trial application for a free 30 day trial Content filtering reports are gener...

Page 204: ...user name and password by clicking the hyperlink as shown in the next screen Figure 82 myZyXEL com Login Screen 3 Fill in the required fields and click Submit Table 60 myZyXEL com Numbers TYPES DESCRIPTION Serial Number You need the serial number to register your ZyXEL device Locate the serial number on your ZyXEL device Authentication Code This is the LAN MAC address of your ZyXEL device You need...

Page 205: ...nd Reports 203 Figure 83 myZyXEL com Account Registration 4 A screen appears indicating you have created an account at myZyXEL com Figure 84 Account Registration Successful 5 You will receive a confirmation e mail Click the URL in the e mail to activate your account ...

Page 206: ...ount Confirmation E Mail 6 Click Continue to go to the myZyXEL com login screen Figure 86 myZyXEL com Account Activation 12 3 Registering Your ZyXEL Device 1 After you have created a myZyXEL com account log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen ...

Page 207: ... product serial number in the Serial Number field 4 Your device category and model number may automatically display in the Category and Model fields respectively Otherwise select the correct ones from the drop down list boxes 5 Enter the device MAC address in the Authentication Code field 6 Enter a descriptive name in the Friendly Name field for identifying your device 7 Click Register Click here ...

Page 208: ... 89 Add New Product 8 Specify the purchase information and click Continue Figure 90 Product Survey 9 Click Continue again 10After you have registered your ZyXEL device you can view its registration details in the screen shown next Your ZyXEL device MAC address may already be entered here ...

Page 209: ...egister button The following screen opens 2 Enter the user name and password from your myZyXEL com account se Figure 82 on page 202 3 After you register your ZyXEL device click My Product in the navigation panel 4 Click the product name link for your device to view its registration details in the Service Management screen Figure 92 myZyXEL com My Product 5 Click Activate for the content filtering ...

Page 210: ...k Submit under Content Filtering Trial to register for a 30 day trial period With the trial registration content filtering functions for 30 days beginning from the date you apply for the trial After the trial you cannot apply for another trial If you ve already registered an iCard s PIN number then you also cannot apply for a trial If you have applied for a trial you can still register the PIN cod...

Page 211: ...m 12 5 Checking Content Filtering Activation After you register for content filtering the web site displays a registration successful web page This does not mean the content filtering is active yet You need to wait up to ten minutes for content filtering to be activated Since there will be no content filtering activation notice you can do the following to see if content filtering is active 1 Go to...

Page 212: ...our product s name click Transfer under Manage Product to move the registered product to another pre registered user account at myZyXEL com click Delete under Manage Product to remove the product registration or click Reinstall under Manage Product to install the product again with another authentication code for up to three times If you have activated a service on a registered product you cannot ...

Page 213: ...hat you configured during account registration at myZyXEL com 3 Click Reports Figure 98 Content Filtering Reports Main Screen Note The ZyWALL does not support Single User Reports at the time of writing 4 Select either Allow or Block reports Select a time period in the Select Date Range field and click Run Report 5 A chart and list of requested web site categories display in the lower half of the s...

Page 214: ...lick a category to see the URLs that were requested Figure 100 Requested URLs Example 12 8 Configuration File If you restore the ZyWALL to the default rom file or upload a different rom file after you register then you must go to the Service Management screen see Figure 96 on page 209 and click Refresh in the Remark field ...

Page 215: ...or secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 13 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 13 1 3 Other ...

Page 216: ...g VPN applications 13 1 4 1 Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites 13 1 4 2 Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a pu...

Page 217: ...rithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Refer to Section 14 2 on page 219 for more information 13 2 2 Key Management Key management ...

Page 218: ...d forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 13 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is...

Page 219: ...g ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encr...

Page 220: ...ZyWALL 5 User s Guide 218 Chapter 13 Introduction to IPSec ...

Page 221: ...gned for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for...

Page 222: ...on using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data A...

Page 223: ...dress may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 14 5 Nailed Up When you initiate an IPSec tunnel with nailed up enabled the ZyWALL automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Section 14 8 on page 224 for more on the IPSec SA lifetime In effect the IPSec tunnel becomes an always on connection after you initi...

Page 224: ...or IPSec router A see Figure 104 on page 222 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A 14 7 ID Type and Content With aggressive negotiation mode see Section 14 8 1 on page 225 the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the ZyWALL to distinguis...

Page 225: ...ddress that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 64 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Remote Gateway Address field DN...

Page 226: ...uses that SA to negotiate SAs for IPSec Figure 105 Two Phases to Set Up the IPSec SA In phase 1 you must Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Peer ID type IP Peer ID type E mail Peer ID content 1 1 1 2 Peer ID content tom yourcompany com Table 66 Mismatching ID Type and Content Configuration Example ZYWALL A ZYWALL B Loca...

Page 227: ...ere is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic 14 8 1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiati...

Page 228: ...ch security so PFS is disabled None by default in the ZyWALL Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 14 9 X Auth Extended Authentication Extended authentication provides added security by allowing you to use usernames ...

Page 229: ...rk policy Click this icon to delete a gateway or network policy When you delete a gateway policy the ZyWALL automatically deletes the network policy ies associated to that gateway policy Click this icon to establish a VPN connection to a remote network This indicates that a gateway or network policy is not active 14 11 IPSec Summary Fields A VPN Virtual Private Network tunnel gives you a secure co...

Page 230: ... network IP addresses must be static 14 12 IKE VPN Rule Summary Screen Click VPN to display the VPN Rules IKE screen This is a read only menu of your IPSec rule tunnel To add an IPSec rule or gateway policy click the add gateway policy icon Edit an IPSec rule by clicking the edit icon to configure the associated submenus Refer to Table 67 on page 227 for descriptions of the icons used in this scre...

Page 231: ...t an associated gateway policy When there is a network policy in the Recycle Bin the Recycle Bin gateway policy automatically displays in this screen See Section 14 12 2 1 on page 239 for more information 14 12 1 Configuring an IKE Gateway Policy In the VPN Rule IKE screen click the add gateway policy icon or the edit icon to display the VPN Gateway Policy Edit screen ...

Page 232: ...Policy Edit The following table describes the labels in this screen Table 68 VPN Rules IKE Gateway Policy Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy You may use any character including spaces but the ZyWALL drops trailing spaces ...

Page 233: ...ave more than one active rule with the Remote Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Remote Gateway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Remote Gateway Address field set to 0 0 0 0 Authenti...

Page 234: ...s by which to identify this ZyWALL in the local Content field Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string Peer ID Type Select from the following when you set Authentication Key to Pre shared Key Select IP to identify the remote IPSec router by its IP address Select ...

Page 235: ...s from the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection For Subject Name type the subject name of the certificate the remote IPSec router will use for this VPN connection Use up to255 ASCII characters including spaces For Any the peer Content field is not available Regardless of how you configure the ID Type and Content fields two activ...

Page 236: ... Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 180 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group ...

Page 237: ...gure a VPN policy click VPN and the add network policy icon in the VPN Rules IKE screen A screen displays as follows Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 68 VPN Rules IKE Gateway Policy Edit continued LABEL DESCRIPTION ...

Page 238: ...ZyWALL 5 User s Guide 236 Chapter 14 VPN Screens Figure 110 VPN Rules IKE Network Policy Edit ...

Page 239: ...rk and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connection idle timeout timer when it sends t...

Page 240: ...ield is configured to Single Address enter a static IP address on the network behind the remote IPSec router When the Addr Type field is configured to Range Address enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec ro...

Page 241: ...s not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec receiver can detect and reject old or duplicate packets to protect agai...

Page 242: ... displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router Gateway Policy Information Gateway Policy Select the name of a VPN rule or gateway policy to which you want to associate this VPN network policy If you ...

Page 243: ... A static IP address and a subnet mask are displayed when the Local Network Address Type field in the VPN Manual Key Edit screen is configured to Subnet Address Remote Network This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initia...

Page 244: ...tical outgoing and incoming SPIs 14 13 2 Editing Manual VPN Rules Manual key management is useful if you have problems with IKE key management Click the edit icon on the VPN Rules Manual screen to edit VPN rules Remote Gateway Address This is the static WAN IP address or domain name of the remote IPSec router Modify Click the edit icon to edit the VPN policy Click the delete icon to remove the VPN...

Page 245: ... this VPN policy You may use any character including spaces but the ZyWALL drops trailing spaces Allow NetBIOS Traffic Through IPSec Tunnel NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote...

Page 246: ... a subnet mask on the LAN behind your ZyWALL Remote Network Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as l...

Page 247: ...s designed If you select AH here you must select options from the Authentication Algorithm field described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the Encryption Key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES enc...

Page 248: ...obal Setting tab The screen appears as shown Table 73 VPN SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL Remote Network This field displays IP address in a range of computers on the remote networ...

Page 249: ...Sec routers Enter 0 to disable this feature Input Idle Timer When no traffic is received from a remote IPSec router after the specified time period the ZyWALL checks the VPN connectivity If the remote IPSec router does not reply the ZyWALL automatically disconnects the VPN tunnel Enter the time period between 30 and 3600 seconds to wait before the ZyWALL checks all of the VPN connections to remote...

Page 250: ...ecommuters Sharing One VPN Rule Example 14 16 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses use Dynamic DNS to do this Table 75 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL 0 0 0 0 dynamic IP address assigned by t...

Page 251: ...by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names Figure 117 Telecommuters Using Unique VPN Rules Example Table 76 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rul...

Page 252: ...l ID Content telecommuterb com Peer ID Content telecommuterb com Local IP Address 192 168 3 2 Remote Gateway Address telecommuterb dydns org Remote Address 192 168 3 2 Telecommuter C telecommuterc dydns org Headquarters ZyWALL 5 Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace com Local IP Address 192 168 4 15 Remote Gateway Address t...

Page 253: ...cryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses Tim s public key to decrypt it 5 Ad...

Page 254: ...uthenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 15 2 Self signed Certificates Until public key infrastructure becomes more mature it may not be available in some areas You can have the ZyWALL act as a certification authority and sign its own certificates 15 3 Configuration Summary This section summarizes...

Page 255: ...ly in use The bar turns from green to red when the maximum is being approached When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyWALL has the factory default certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use this button to...

Page 256: ...has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays a...

Page 257: ...M Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form 15 6 Importing a Certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions in this screen to save an existing certificate to the ZyWALL see the following figure Note You can only im...

Page 258: ...te enroll a certificate with a certification authority or generate a certification request see the following figure Figure 121 My Certificate Create Table 78 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the c...

Page 259: ...ps trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the...

Page 260: ...tocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF an...

Page 261: ...ZyWALL 5 User s Guide Chapter 15 Certificates 259 Figure 122 My Certificate Details ...

Page 262: ...the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certif...

Page 263: ...the ZyWALL calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can...

Page 264: ...formation about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company a...

Page 265: ...ave selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A windo...

Page 266: ...tificate change the certificate s name and set whether or not you want the ZyWALL to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 82 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the cert...

Page 267: ... to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the ZyWALL not check incoming certificates th...

Page 268: ... s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash ...

Page 269: ...heir certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail...

Page 270: ...field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text...

Page 271: ... following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 127 Remote Host Certificates 3 Double click the certificate s icon to open the Certificate window Click the Deta...

Page 272: ... Remote Host s Certificate Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host s certificate to the ZyWALL see the following figure Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from...

Page 273: ...Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 85 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Ap...

Page 274: ... to identify this key certificate You may use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate s issuing certification authority For a trusted host the list consists of the...

Page 275: ... or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address ...

Page 276: ...tificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file ...

Page 277: ...necessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the...

Page 278: ...al notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyWALL may need to aut...

Page 279: ... database for VPN extended authentication and wireless LAN security See Section 6 5 1 on page 103 for more information about RADIUS 16 2 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way 16 3 RADIUS The ZyWALL c...

Page 280: ...ZyWALL 5 User s Guide 278 Chapter 16 Authentication Server Figure 133 Local User Database ...

Page 281: ...en the following screen where you can set up your ZyWALL s RADIUS server settings Figure 134 RADIUS Table 89 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile User Name Enter the user name of the user profile Password Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Rese...

Page 282: ...hared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL Accounting Server Active Select the check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Numbe...

Page 283: ...he IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packe...

Page 284: ...ervers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 17 1 3 How NAT Works Each packet has two addresses a source ...

Page 285: ... Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 136 NAT Application With IP Alias ...

Page 286: ...P address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 137 Port Restricted Cone NAT Example 17 1 6 NAT Mapping Types NAT supports five types of IP port mapping T...

Page 287: ...d Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview Selecting SUA means latent multiple WAN to LAN and WAN to DMZ address translation That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping ...

Page 288: ...ct Full Feature to have the ZyWALL use the address mapping rules that you configure This is the equivalent of what used to be called full feature NAT The bar displays how many of the ZyWALL s possible address mapping rules are configured The first number shows how many address mapping rules are configured on the ZyWALL The second number shows the maximum number of address mapping rules that can be...

Page 289: ...les For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change your ZyWALL s Address Mapping settings click NAT then the Address Mapping tab The screen appears a...

Page 290: ...address from your ISP with Many to One and Server mapping types Global End IP This is the ending Inside Global Address IGA This field is N A for One to One Many to One and Server mapping types Type 1 One to One mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type 2 Many to One mode maps multiple local IP addresses to one g...

Page 291: ... Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP ...

Page 292: ... IP address A default server receives packets from ports that are not specified in this screen Note If you do not assign a Default Server IP address the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup 17 5 2 Port Forwarding Services and Port Numbers The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly a...

Page 293: ... and be accessible to the outside world through a single WAN IP address When you use port translation with port forwarding multiple servers on the LAN or DMZ can use the same port number and still be accessible to the outside world through a single WAN IP address The following example has two web servers on a LAN Server A uses IP address 192 168 1 33 and server B uses 192 168 1 34 Both servers use...

Page 294: ...ets received for ports that are not specified here or in the remote management setup Click NAT and Port Forwarding to open the Port Forwarding screen Refer to Figure 96 for port numbers commonly used for particular services Note The last port forwarding rule is reserved for Roadrunner services The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to somethi...

Page 295: ... This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Incoming Port s Enter a port number here To forward only one port enter it again in the seco...

Page 296: ...ecific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configu...

Page 297: ...Type a unique name up to 15 characters for identification purposes All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the startin...

Page 298: ...Translation NAT End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 98 Port Triggering LABEL DESCRIPTION ...

Page 299: ...te a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyWALL about the networks beyond the remote nodes Figure 146 Example of Static Routing Topology 18 2 Configuring IP Static Route Click STATIC ROUTE to open the IP Static Route screen Note The first static route entry is for the...

Page 300: ...P Static Route LABEL DESCRIPTION This is the number of an individual static route Name This is the name that describes or identifies this route Active This field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number ...

Page 301: ...dex number and then click Delete to remove a static route on the ZyWALL Table 99 IP Static Route LABEL DESCRIPTION Table 100 Edit IP Static Route LABEL DESCRIPTION Route Name Enter the name of the IP static route Leave this field blank to delete this static route Active This field allows you to activate deactivate this static route Destination IP Address This parameter specifies the IP network add...

Page 302: ...but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate this route to other hosts through RIP broadcasts Apply Click Apply to save your changes back to...

Page 303: ... at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 19 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class or sub class based ...

Page 304: ...t based Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 149 Subnet based Bandwidth Management Example 19 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application Th...

Page 305: ...lable bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class is not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or u...

Page 306: ...ut when you do not select the maximize bandwidth option The ZyWALL divides up the unbudgeted 2048 kbps among the classes that require more bandwidth If the administration department only uses 1024 kbps of the budgeted 2048 kbps the ZyWALL also divides the remaining 1024 kbps among the classes that require more bandwidth Therefore the ZyWALL divides a total of 3072 kbps of unbudgeted and unused ban...

Page 307: ...nistration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps 19 9 Bandwidth Borrowing Bandwidth borrowing allows a s...

Page 308: ...ve more traffic than their budgets and have bandwidth borrowing enabled The ZyWALL gives priority to sub classes of higher priority and treats classes of the same priority equally 3 The ZyWALL assigns any remaining unused or unbudgeted bandwidth on the interface to any class that requires it The ZyWALL gives priority to classes of higher priority and treats classes of the same level equally 4 If t...

Page 309: ... root class see Section 19 11 on page 308 The recommendation is to set this speed to match what the device connected to the port can handle For example set the WAN interface speed to 1000 kbps if the broadband device connected to the WAN port has an upstream speed of 1000 kbps Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priori...

Page 310: ...o add or delete child classes on an interface click BW MGMT then the Class Setup tab The screen appears as shown with example classes Figure 151 Bandwidth Manager Class Setup The following table describes the labels in this screen Table 107 Bandwidth Manager Class Setup LABEL DESCRIPTION Class Setup Interface Select an interface from the drop down list box for which you wish to set up classes Band...

Page 311: ...umber of an individual bandwidth management filter Filter Name This is the name that identifies a bandwidth management filter Service This is the service that this bandwidth management filter is configured to manage Destination IP Address This is the destination IP address for connections to which this bandwidth management filter applies Destination Port This is the destination port for connection...

Page 312: ...e priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priority 7 is the first to...

Page 313: ...es it easier to manage bandwidth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN Select Custom from the drop down list box if you do not want to use a predefined application for the bandwidth class When you select Custom you need to configure at least one of the following fields other than the Subnet Mask fields which you only enter if...

Page 314: ...e ZyWALL Cancel Click Cancel to exit this screen without saving Table 109 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP ...

Page 315: ...d Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 means one second ago Update Period...

Page 316: ...s that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes a a If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assi...

Page 317: ...ZyWALL 5 User s Guide Chapter 19 Bandwidth Management 315 ...

Page 318: ...ZyWALL 5 User s Guide 316 Chapter 19 Bandwidth Management ...

Page 319: ...our ISP gives you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote I...

Page 320: ... to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 20 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a fully q...

Page 321: ...not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 20 6 The System Screen To configure your ZyWALL s DNS address and name server records click DNS The screen appears as shown Figure 156 System DNS ...

Page 322: ...ver Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server When the ZyWALL needs to resolve a domain name it checks it against the name server record entries in the order that they appear in this list A indicates a name server record without a domain zone The default record is grayed ...

Page 323: ... host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the second level domain and com tw is the top level domain IP Address If this entry is for the WAN port select WAN Interface For entries that are not for the WAN port select Custom and enter the IP address of the host in dotted decimal no...

Page 324: ... an IP address N A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP address Select Public DNS Server if you have the IP address of a DNS server The IP address must be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right Public DNS Server entries with the IP address set to 0 0 0 0 are not allowed Select Privat...

Page 325: ...d DNS timeout period A negative response means that the ZyWALL did not receive a response for a query it sent to a DNS server within the five second DNS timeout period When the ZyWALL receives DNS queries it compares them against the DNS cache before querying a DNS server If the DNS query matches a positive entry the ZyWALL responses with the IP address from the entry If the DNS query matches a ne...

Page 326: ... queried domain names for which DNS resolution has failed and reduces the amount of traffic that the ZyWALL sends out to the WAN Negative Cache Period Type the time 60 to 3600 seconds that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afr...

Page 327: ...s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to t...

Page 328: ... with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key Note You must go to the Dynamic DNS service provider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL 20 10 1 DYNDNS Wildcard Enabling t...

Page 329: ...can use up to 31 alphanumeric characters and the underscore Spaces are not allowed My Domain Names Domain Name 1 5 Enter the host names in these fields DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Select Dynamic if you have the Dynamic DNS service Select Static if you have the Static DNS service Select Custom if you have the Custom DNS ser...

Page 330: ...en there are one or more NAT routers between the ZyWALL and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Apply Click Apply to save your changes back to the ZyWALL R...

Page 331: ...LL from a remote location via Note When you choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The ZyWALL automatically disconnects a remote management session of lower priority when another r...

Page 332: ...change the timeout period in the System screen 21 2 Introduction to HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication...

Page 333: ...rver 2 HTTP connection requests from a web browser go to port 80 by default on the ZyWALL s WS web server Figure 162 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 21 3 Configuring WWW To change your ZyWALL s web settings click REMOTE MGMT to open the WWW screen ...

Page 334: ...J on page 607 on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select a ZyWALL interface from Server Access on whi...

Page 335: ...screen if you select No then web configurator access is blocked Figure 164 Security Alert Dialog Box Internet Explorer Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Clie...

Page 336: ...s from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 165 Security Certificate 1 Netscape Figure 166 Security Certificate 2 Netscape 21 4 3 Avoiding the Browser Warning Messages The following describes the main reasons that y...

Page 337: ...on name specified in the certificate that your ZyWALL sends to HTTPS clients a Click REMOTE MGMT Write down the name of the certificate displayed in the Server Certificate field b Click CERTIFICATES Find the certificate and check its Subject column CN stands for certificate s common name see Figure 170 on page 337 for an example Use this procedure to have the ZyWALL use a certificate with a common...

Page 338: ...pter 21 Remote Management Figure 167 Login Screen Internet Explorer Figure 168 Login Screen Netscape Click Login and you then see the next screen The factory default certificate is a common default certificate for all ZyWALL models ...

Page 339: ...yWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 170 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 340: ... in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Figure 172 SSH Communication Example 21 6 How SSH works The following table summarizes how a secure connection is established between two remote hosts ...

Page 341: ...yption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in t...

Page 342: ...LL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 15 on page 251 for details Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may acc...

Page 343: ...er or device name for the ZyWALL 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 175 SSH Example 1 Store Host Key Enter the password to log in to the ZyWALL The SMT main menu displays next 21 9 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH c...

Page 344: ...efer to your SSH client program user s guide 1 Enter sftp 1 192 168 1 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER 2 Enter the password to login to the ZyWALL 3 Use the ...

Page 345: ...creen appears as shown sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras U...

Page 346: ...N Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyWALL using this service...

Page 347: ...Note SNMP is only available if TCP IP is configured Table 121 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a ...

Page 348: ...f variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following ...

Page 349: ...SCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before reboo...

Page 350: ...ult is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL using this service Secure Clie...

Page 351: ...the labels in this screen Table 124 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here Service Access Select the interface s through which a computer may send DNS queries to the ZyWALL Secure Client IP Address A secure client is a trusted computer that is allowed to send DNS queries to the ZyWALL Select All to allow any computer to send DNS queries to th...

Page 352: ...ZyWALL 5 User s Guide 350 Chapter 21 Remote Management ...

Page 353: ...ear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 22 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple...

Page 354: ...riting ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested The ZyWALL only sends UPnP multicasts to the LAN Please see later in this User s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 22 3 Configuring UPnP Click UPnP to display the screen shown next Figur...

Page 355: ...enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets Apply Click Apply to save your changes back to the ZyWALL R...

Page 356: ...alue and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the ZyWALL should forward incoming connection requests Internal Client This field displays the DNS host name or IP address of a client...

Page 357: ...Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 358: ...ort of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Details 5 I...

Page 359: ...anel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 360: ... With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status ...

Page 361: ... Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 362: ...ZyWALL 5 User s Guide 360 Chapter 22 UPnP 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 363: ... to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 23 3 on page 363 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error ...

Page 364: ...ime the log was recorded See Section 24 5 on page 374 to configure the ZyWALL s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entry E...

Page 365: ...s such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Note Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full see Log Schedule Selecting many alert and or log categories especially Access Contro...

Page 366: ...ZyWALL 5 User s Guide 364 Chapter 23 Logs Screens Figure 188 Log Settings ...

Page 367: ...n list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentication SMTP Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another Select the check box to activate SMTP authenticatio...

Page 368: ... when an individual web page loads it may contain references to other web sites that also get counted as hits The ZyWALL records web site hits by counting the HTTP GET packets Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits thus the web hit count is not yet 100 accurate To change your ZyWALL s log reports click LOGS then the Reports tab The scre...

Page 369: ...he ZyWALL Reset Click Reset to begin configuring this screen afresh Interface Select on which interface LAN or DMZ the logs will be collected The logs on the DMZ or LAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have...

Page 370: ...x to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Table 131 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN The names are ranked by the number of visits to each web site and listed in d...

Page 371: ...Table 132 Protocol Port Report LABEL DESCRIPTION Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN or DMZ This fie...

Page 372: ... WAN to the LAN or DMZ This field displays Outgoing to denote traffic that is going out from the LAN or DMZ to the WAN Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kbytes Mbytes or Gbytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traffic sent to and ...

Page 373: ...tification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click Start My Computer View system information and then click the Comput...

Page 374: ...not allowed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or SMT can be left idle before ...

Page 375: ...nization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried Table 136 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type your new system password up to 30 characters No...

Page 376: ...ate click MAINTENANCE then the Time and Date tab The screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 195 Time and Date ntp cs strath ac uk ntp1 sp se time1 stupi se tick stdtime gov tw tock stdtime gov tw time stdtime gov tw Table 137 Default Time Servers ...

Page 377: ... Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the ...

Page 378: ... Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The ...

Page 379: ...ful the following screen appears Click Return to go back to the Time and Date screen Figure 198 Synchronization Fail 24 6 Introduction to Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port All fu...

Page 380: ...s flooded to all ports except the inbound port Broadcasts and multicasts also are flooded in this way If the associated port is the same as the incoming port then the frame is dropped filtered 24 7 Transparent Firewalls A transparent firewall also known as a transparent in line shadow stealth or bridging firewall has the following advantages over router firewalls 1 The use of a bridging firewall r...

Page 381: ... click MAINTENANCE then the Device Mode tab When the ZyWALL is in router mode the screen appears as shown next Figure 199 Device Mode Router Mode The following table describes the labels in this screen Table 140 Device Mode Router Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router When the ZyWALL i...

Page 382: ...nfigured in the IP Address field to access the ZyWALL again Reset Click Reset to begin configuring this screen afresh Table 141 Device Mode Bridge Mode LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode LAN Interface IP Address En...

Page 383: ...cting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a server fill in the rest of the DHCP setup fields IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP add...

Page 384: ...ocess The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 142 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decom...

Page 385: ... not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 204 Firmware Upload Error 24 10 Configuration Screen See Section 38 5 on page 500 for transferring configuration files using FTP TFTP commands Click MAINTENANCE and then the Configuration tab Information related to factory defaults backup configuration and restoring configuration appears as sho...

Page 386: ... in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 24 10 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL Table 143 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this f...

Page 387: ...me causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 207 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See your Quick Start Guide for details on how to set up your ...

Page 388: ...e screen The following warning screen will appear Figure 209 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL Refer to Section 2 3 on page 56 for more information on the RESET button 24 11 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off Click MAINTENANCE and then Restart Click Restar...

Page 389: ...ZyWALL 5 User s Guide Chapter 24 Maintenance 387 Figure 210 Restart Screen ...

Page 390: ...ZyWALL 5 User s Guide 388 Chapter 24 Maintenance ...

Page 391: ... Terminal menus via console port how to navigate the SMT and how to configure SMT menus 25 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud...

Page 392: ... SMT is an interface that you use to configure your ZyWALL Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Copyright c 1994 2005 ZyXEL Communications Corp initialize ch 0 ethernet address 00 A0 C5 01 23 45 initialize ch 1 ethernet address 00 A0 C5 01 23 46 initialize ch 2 ethernet address 00 A0 C5 01 23 47 initialize ...

Page 393: ...BAR then press ENTER to select from choices You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields All fields with the symbol must be filled in order be able to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This ...

Page 394: ...6 Schedule Setup Advanced Applications 11 Remote Node Setup 12 Static Routing Setup 15 NAT Setup 99 Exit Enter Menu Selection Number Copyright c 1994 2005 ZyXEL Communications Corp ZyWALL 5 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter and Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 99 Exit Enter Menu Selection Number Table 145 Main Menu ...

Page 395: ...ter and Firewall Setup Configure filters activate deactivate the firewall and view the firewall log 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Password Change your password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 25 IP Routing Policy Setup From disp...

Page 396: ...1 2 3 Remote Node Script 11 2 4 Remote Node Filter 12 Static Routing Setup 12 1 Edit Static Route Setup 15 NAT Setup 15 1 Address Mapping Sets 15 1 1 Address Mapping Rules 11 1 5 Traffic Redirect Setup 15 2 NAT Server Sets 15 2 x NAT Server Configuration 15 3 Trigger Ports 21 Filter and Firewall Setup 21 1 Filter Set Configuration 21 1 x Filter Rules Summary 21 1 x x Generic Filter Rule 21 1 x x T...

Page 397: ...2 Console Port Speed 24 3 Log and Trace 24 3 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Management 24 9 2 Call History 24 10 Time and Date Setting 24 11...

Page 398: ...ystem password and press ENTER 4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an x for each character you type 25 5 Resetting the ZyWALL See Section 2 3 on page 56 for directions on resetting the ZyWALL ...

Page 399: ... Router Mode Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 147 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Domain N...

Page 400: ...dress 172 21 5 22 Network Mask 255 255 0 0 Gateway 172 21 0 254 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 148 Menu 1 General Setup Bridge Mode FIELD DESCRIPTION Device Mode Press SPACE BAR and then ENTER to select Bridge Mode IP Address Enter the IP address of your ...

Page 401: ...u 1 or the MAINTENANCE Device Mode screen 2 Enter 1 in the main menu to open Menu 1 General Setup 3 Press SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 149 Menu 1 1 Configure Dynamic DNS F...

Page 402: ...__________________________________________________ _______________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 150 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete Next Pag...

Page 403: ...hen ENTER to select Yes When Yes is selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details IP Address Update Policy You can select Yes in either the Let DDNS Server Auto Detect field recommended or the Use User Defined field but not both With the Let DDNS Server Auto Detect and Use User Defined fields both set to No the DDNS se...

Page 404: ...r the static public IP address if you select Yes in the Use User Defined field When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 151 Menu 1 1 1 DDNS Edit Host continued FIELD DESCRIPTION ...

Page 405: ...p Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection 27 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 221 MAC Address Cloning in WAN Setup Menu 2 WAN Setup MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String Init at fs0 0 Edit Advanced Setup ...

Page 406: ...r information on an alternate backup WAN connection 27 4 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 152 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address attach...

Page 407: ...ield to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your Dial B...

Page 408: ...Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR D...

Page 409: ...ber before blacklisting the number Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of sec...

Page 410: ...he PPP options for this remote node This brings you to Menu 11 2 1 Remote Node PPP Options see Section 27 7 on page 409 Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 2 2 Remote Node Network Layer Options See Section 27 8 on page 409 for more information Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script...

Page 411: ...ffic from the ZyWALL to the remote node that can elapse before the ZyWALL automatically disconnects the PPP connection This option only applies when the ZyWALL initiates the call Once you have configured this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 156 Menu 11 3 Remote Node Profile Backup ISP continued FIELD DESCRIP...

Page 412: ...mically automatically assign your WAN IP address if you do not know it Enter your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote router Network Address Translation Network Address Translation NAT allows the translation of an Internet protocol address used within one network for example a private IP address used in a local network to a dif...

Page 413: ...ame and password in the remote node when the ZyWALL sees them in a Send string Please note that both variables must been entered exactly as shown No other characters may appear before or after either i e they must be used alone in response to login and password prompts Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes thi...

Page 414: ...your password to the server If there are errors in the script and it gets stuck at a set for longer than the Dial Timeout in menu 2 default 60 seconds the ZyWALL will timeout and drop the line To debug a script go to Menu 24 4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect Figure 227 Menu 11 2 3 Remo...

Page 415: ...node and the ZyWALL to prevent certain packets from triggering calls You can specify up to four filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepted in this field Please refer to Chapter 35 on page 463 for more information on defining the filters Figure 228 Menu 11 2 4 Remote Node Filter Menu 11 2 4 Remote Node Filter Input Filter Sets protocol fi...

Page 416: ...ZyWALL 5 User s Guide 414 Chapter 27 WAN and Dial Backup Setup ...

Page 417: ...the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 229 Menu 3 LAN Setup 28 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Setu...

Page 418: ... IP and DHCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and D...

Page 419: ...No Third DNS Server From ISP IP Address N A DHCP Server Address N A Press ENTER to Confirm or ESC to Cancel Table 160 Menu 3 2 DHCP Ethernet Setup Fields FIELD DESCRIPTION DHCP This field enables disables the DHCP server If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays reques...

Page 420: ... third DNS server that choice changes to None after you save your changes Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it DHCP Server Address If Relay is selected in the DHCP field above then type the IP address of the actual remote DHCP server here Table 161 Menu 3 2 LAN TCP IP Setup Field...

Page 421: ...RIP Direction None Version RIP 1 Incoming protocol filters Outgoing protocol filters IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Table 162 Menu 3 2 1 IP Alias Setup FIELD DESCRIPTION IP Alias 1 2 Choose Yes to configure the LAN network for the ZyWALL IP Address Enter...

Page 422: ... Menu 3 5 Wireless LAN Setup as shown next Figure 234 Menu 3 5 Wireless LAN Setup Note The settings of all client stations on the wireless LAN must match those of the ZyWALL Outgoing Protocol Filters Enter the filter set s you wish to apply to the outgoing traffic between this node and the ZyWALL When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your config...

Page 423: ...r enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 0 and 2432 Frag Threshold The threshold number of bytes for the fragmentation boundary ...

Page 424: ...00 00 00 00 00 Address 10 00 00 00 00 00 00 Address 11 00 00 00 00 00 00 Address 12 00 00 00 00 00 00 Enter here to CONFIRM or ESC to CANCEL Table 164 Menu 3 5 1 WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering press SPACE BAR to select Yes and press ENTER Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table To deny ac...

Page 425: ...Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use 29 2 Ethernet Encapsulation If you choose Ethernet in menu 4 you will see the next menu Figure 236 Menu 4 Internet Access Setup Ethernet Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N ...

Page 426: ...mber of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins IP Address Assignment If your ISP did not assign you a fixed IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address and subnet mask in the following fields IP Address Enter the fixed IP address assigned to you by your ISP static IP address assignment is selected i...

Page 427: ...you choose PPTP in the Encapsulation field in menu 4 29 4 Configuring the PPPoE Client If you enable PPPoE in menu 4 you will see the next screen For more information on PPPoE please see Appendix D on page 563 Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPTP Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subn...

Page 428: ...the Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPPoE Service Type N A My Login My Password Retype to ...

Page 429: ...o specify the filter sets that you wish to apply to your public server s traffic Figure 240 Menu 5 1 DMZ Port Filter Setup 30 3 TCP IP Setup For more detailed information about RIP setup IP Multicast and IP alias please refer to Chapter 4 on page 85 Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters ...

Page 430: ... how to configure these fields Note DMZ and LAN IP addresses must be on separate subnets You must also configure NAT for the DMZ port see Chapter 33 on page 443 in menus 15 1 and 15 2 30 3 2 IP Alias Setup You must use menu 5 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing E...

Page 431: ...ameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL ...

Page 432: ...ZyWALL 5 User s Guide 430 Chapter 30 DMZ Setup ...

Page 433: ...Node Profile Menu 11 1 2 Remote Node Network Layer Options Menu 11 1 4 Remote Node Filter and Menu 11 1 5 Traffic Redirect Setup 31 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Then enter 1 to open Menu 11 1 Remote Node Profile and configure the setup for your WAN port Enter 2 to open Menu 11 2 Remote Node Profile Backup ISP and configu...

Page 434: ...on FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP encapsulation Service Type Press SPACE BAR and then ENTER to select...

Page 435: ...recommended for the ZyWALL to wait between logins Route This field refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 1 2 Remote Node Network Layer Options Session Options Schedules You can apply up to four schedule sets here For more details please r...

Page 436: ...affic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or...

Page 437: ...ield sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour Schedules You can apply up to four schedule ...

Page 438: ...P Addr Connection ID Name Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Table 170 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter the IP address of the WAN Ethernet port M...

Page 439: ...ulation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the IP add...

Page 440: ...mines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP broadcasts RIP Direction Press SPACE BAR and then ENTER to select the RIP direction from Both None In Only Out Only See Chapter 4 on page 85 for more informat...

Page 441: ...orward WAN traffic to the backup gateway using Menu 11 1 5 Traffic Redirect Setup Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Set...

Page 442: ...e route has Check WAN IP Address Enter the IP address of a reliable nearby computer for example your ISP s DNS server address to test your ZyWALL s WAN accessibility The ZyWALL uses the default gateway IP address if you do not enter an IP address here If you are using PPTP or PPPoE Encapsulation enter 0 0 0 0 to configure the ZyWALL to check the PVC Permanent Virtual Circuit or PPTP tunnel Fail To...

Page 443: ...AN IP address The route name changes from default to default after you change the static WAN IP address to a dynamic WAN IP address indicating the static route is inactive Figure 252 Menu 12 IP Static Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 Reserved 16 ________ 2 ________ 17 ________ 3 ________ 18 ________ 4 ________ 19 ...

Page 444: ... subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the gateway must b...

Page 445: ... types of mapping Many to One and Server See Section 33 2 1 on page 445 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Note Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple ...

Page 446: ...ying NAT to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Node ...

Page 447: ...igure DMZ and LAN IP addresses in NAT menus 15 1 and 15 2 DMZ IP addresses must be on subnets separate from LAN IP addresses 33 2 1 Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping Sets Table 174 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 1 see Section 33 2 1 on pa...

Page 448: ... only Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Press ENTER to Confirm or ESC to Cancel Table 175 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name...

Page 449: ...he ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above Server allows us to specify multiple servers of ...

Page 450: ...ing deleting a rule No changes to the set take place until this action is taken Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs Note An IP End address must be numerically greater than its corresponding IP Start address Table 176...

Page 451: ...to specify multiple servers of different types behind NAT to this computer See Section 33 4 3 on page 453 for an example Local IP Only local IP fields are N A for server Global IP fields MUST be set for Server Start Enter the starting local IP address ILA End Enter the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 Th...

Page 452: ...nter the last port to be forwarded in the End Port field 15 2 1 NAT Server Configuration Wan 1 Index 1 Name 1 Active Yes Start port 21 End port 25 IP Address 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Table 178 Menu 15 2 1 NAT Server Configuration FIELD DESCRIPTION WAN This is the WAN port server set Index This is the index number of an individual port forwarding server entry Name Enter ...

Page 453: ...activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard Figure 262 Menu 15 2 NAT Server Setup You assign the private network IP addresses The NAT network appears as a single host on the Internet A is the FTP Telnet SMTP server Figure 263 Server Behind NAT Example Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Po...

Page 454: ...ove simply choose the SUA Only option from the Network Address Translation field This is the Many to One mapping discussed in Section 33 4 on page 452 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N ...

Page 455: ...er All departments share the same router The example will reserve one IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two uni directional as follows Menu 15 2 NAT S...

Page 456: ... like this Figure 268 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 269 2 Then enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set ...

Page 457: ...ork Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation SUA Only Metric 2 Private RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER t...

Page 458: ...menu 2 Enter 2 to go to Menu 15 2 NAT Server Sets and configure it as shown in Figure 272 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC...

Page 459: ...such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80...

Page 460: ...ddress Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M 1 1 2 3 4 5 6 7 8 9 1...

Page 461: ...er that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the...

Page 462: ...rs are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Enter a port number or the starting port number in a range of port numbers End Port Enter a port number or the e...

Page 463: ...ion to display the screen shown next Figure 277 Menu 21 Filter and Firewall Setup 34 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu 2...

Page 464: ...ects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER to...

Page 465: ...lowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data f...

Page 466: ...ilter rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming tel...

Page 467: ...nfiguration 465 Figure 280 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 468: ... 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary This screen shows the summary of the existing rules in the filter set The following tables contain a brief description of the abbreviations used in the previous menus Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filter Fil...

Page 469: ...are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately an...

Page 470: ...Filter Rule as shown next Figure 283 Menu 21 1 1 1 TCP IP Filter Rule The following table describes how to configure your TCP IP filter rule Menu 21 1 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr IP Mask Port Port Comp None Source IP Addr IP Mask Port Port Comp None TCP Estab N A More No Log None Action Matched Che...

Page 471: ...stab This field is applicable only when the IP Protocol field is 6 TCP Press SPACE BAR and then ENTER to select Yes to have the rule match packets that want to establish a TCP connection SYN 1 and ACK 0 if No it is ignored More Press SPACE BAR and then ENTER to select Yes or No If Yes a matching packet is passed to the next filter rule before an action is taken if No the packet is disposed of acco...

Page 472: ...r s Guide 470 Chapter 35 Filter Configuration Figure 284 Executing an IP Filter 35 2 3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is ...

Page 473: ...ric Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 183 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule co ordinates i e 2 3 refers to the second filter set and the third ru...

Page 474: ...g packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be No Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not ma...

Page 475: ... A Y a TCP IP filter rule Type IP Pr 6 for destination telnet ports DP 23 Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward P...

Page 476: ...ic filter rules act on the raw data from to LAN and WAN Protocol filter rules act on the IP packets Generic and TCP IP filter rules are discussed in more detail in the next section When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore t...

Page 477: ...d output filter sets filter outgoing traffic from the ZyWALL For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Figure 290 Filtering LAN Traffic 35 6 2 Applying DMZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter s...

Page 478: ...ers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 292 Filtering Remote Node Traffic Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 11 1 4 Remote Node Filter S...

Page 479: ...ted Host 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 184 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station ...

Page 480: ...RIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooti...

Page 481: ...ion on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu e...

Page 482: ...00 00 00 00 00 DMZ 00 A0 C5 7A 86 D7 0 0 0 0 0 0 0 0 None System up Time 0 02 51 Press Command COMMANDS 1 Drop WAN 9 Reset Counters ESC Exit Table 186 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies a port WAN LAN WLAN or DMZ on the ZyWALL Status This field shows the port speed and duplex setting if you re using Ethernet Encapsulation and Down line is down Idle l...

Page 483: ...the next figure Figure 296 Menu 24 2 System Information and Console Port Speed 37 3 1 System Information System Information gives you information about your system as shown below More specifically it gives you information on your routing protocol Ethernet address IP address etc System up Time This is the total time the ZyWALL has been on You may enter 1 to drop the WAN connection 9 to reset the co...

Page 484: ...7A 86 D5 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 187 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version o...

Page 485: ...main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 299 Menu 24 3 System Maintenance Log and Trace Examples of typical e...

Page 486: ...56 2004 PINI INFO Last errorlog repeat 1 Times 59 Thu Jul 1 05 54 56 2004 PINI INFO main init completed 60 Thu Jul 1 05 55 26 2004 PSSV WARN SNMP TRAP 0 cold start 61 Thu Jul 1 05 56 56 2004 PINI INFO SMT Session Begin 62 Thu Jul 1 07 50 58 2004 PINI INFO SMT Session End 63 Thu Jul 1 07 53 28 2004 PINI INFO SMT Session Begin Clear Error Log y n Menu 24 3 2 System Maintenance Syslog Logging Syslog ...

Page 487: ...02 2 ZyXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx...

Page 488: ...at SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZyXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZyXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZyXEL ppp CCP Closing Firewall Log Message Format SdcmdSyslogSend SYSLOG_FIRE...

Page 489: ...w to get to Menu 24 4 System Maintenance Diagnostic IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header...

Page 490: ...s Assignment field in menu 4 or menu 11 x 2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 304 WAN LAN DHCP The following table describes the diag...

Page 491: ... the Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to Chapter 29 on page 423 for more details This feature is only available for dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL WAN If you entered 2 or 3 in the Enter Menu Selection Number field enter the number of the WAN port in this field Host IP Addres...

Page 492: ...ZyWALL 5 User s Guide 490 Chapter 37 System Information Diagnosis ...

Page 493: ...ite to use to upgrade your ZyWALL s performance 38 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing ...

Page 494: ... ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the dow...

Page 495: ...he ZyWALL to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as ...

Page 496: ...p bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 191 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to ...

Page 497: ...s stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyWALL Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the ZyWALL...

Page 498: ...tem Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Table 192 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL 192 168 1 1 is the ZyWALL s default IP address when shipped Send Fetch Use Send to upload the file to the ZyWALL and Fetch to back up ...

Page 499: ...ation before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Note WARNING Do not interrupt th...

Page 500: ...uit to exit the ftp prompt The ZyWALL will automatically restart after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfi...

Page 501: ...lar 1 Display menu 24 6 and enter y at the following screen Figure 313 System Maintenance Restore Configuration 2 The following screen indicates that the Xmodem download has started Figure 314 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ftp put config rom rom 0 200 Port command okay 150 Open...

Page 502: ...you how to upload firmware and configuration files You can upload configuration files by following the procedure in Section 38 4 on page 497 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port Note WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL 38 5 1 Firmware File Upload FTP is the pref...

Page 503: ...r a successful firmware upload For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow...

Page 504: ...mware File Upload Figure 319 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Section 38 3 5 on page 494 to read about configurations that disallow TFTP and FTP over WAN 38 5 5 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP ...

Page 505: ...TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the ZyWAL...

Page 506: ...re upload process has completed the ZyWALL will automatically restart 38 5 10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter ...

Page 507: ...process has completed restart the ZyWALL by entering atgo Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restar...

Page 508: ...ZyWALL 5 User s Guide 506 Chapter 38 Firmware and Configuration File Maintenance ...

Page 509: ...ly available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Note Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 324 Command Mode in Menu 24 39 1 1 Command Syntax The command keywords are in courier new font Enter the command keywords exactly...

Page 510: ... ppp bridge bm certificates cnm 8021x radius ras Table 193 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether These commands display Ethernet information and configure Ethernet settings aux These commands display dial backup information and control dial backup connections ip Th...

Page 511: ...al outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 326 Call Control 39 2 1 Budget Management Menu 24 9 1 shows the budget mana...

Page 512: ...t past incoming and outgoing calls Enter 2 from Menu 24 9 System Maintenance Call Control to bring up the following menu Menu 24 9 1 Budget Management Remote Node Connection Time Total Budget Elapsed Time Total Period 1 ChangeMe No Budget No Budget 2 Dial No Budget No Budget Reset Node 0 to update screen Table 194 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of th...

Page 513: ...nu 24 in the main menu to open Menu 24 System Maintenance as shown next Menu 24 9 2 Call History Phone Number Dir Rate call Max Min Total 1 2 3 4 5 6 7 8 9 10 Enter Entry to Delete 0 to exit Table 195 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This is the...

Page 514: ...em Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Upload Firmware 8 Command Interpreter Mode 9 Call Control 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number Menu 24 10 System Maintenance Time and Date Setting Time Protocol NTP RFC 1305 Time Server Address a ntp alphazed net Current Time 08 24 26 New Ti...

Page 515: ...this menu New Date Enter the new date in year month and day format This field is available when you select Manual in the Time Protocol field Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Time GMT Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local t...

Page 516: ...United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select Oct Last Sun and type 02 in the hr field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Oct Last Sun The ti...

Page 517: ...ch ZyWALL interface if any from which computers You may manage your ZyWALL from a remote location via Note When you Choose WAN only or ALL LAN WAN DMZ you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Internet WAN only AL...

Page 518: ...ld shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the ZyWALL Access Select the access interface if any by pressing SPACE BAR then ENTER to choose from LAN only WAN only DMZ only ALL or Disable Secure Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the ZyWALL Enter an I...

Page 519: ...e disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 4 There is an SMT console session running 5 There is already another remote management session with an equal or higher priority running You may only have one remote management session running at...

Page 520: ...ZyWALL 5 User s Guide 518 Chapter 40 Remote Management ...

Page 521: ... sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node Note To delete a sche...

Page 522: ... to activate the schedule set How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusive If Once is selected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Start Date Enter the start date when you wish the...

Page 523: ... period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your c...

Page 524: ...ctive Yes Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel ...

Page 525: ...or or cord connected to the ZyWALL and to an appropriate power source If the error persists you may have a hardware problem In this case you should contact your vendor Table 200 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access the ZyWALL from the LAN Check your Ethernet cable type and connections Refer to the Quick Start Guide for LAN connection instructions Make sure the ...

Page 526: ...able 202 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP address from the ISP The ISP provides the WAN IP address after authentication Authentication may be through the user name and password the MAC address or the host name Use the following corrective actions to make sure the ISP can authenticate your connection You need a username and password if you re using PPPoE...

Page 527: ...yWALL from the LAN or WAN Refer to Section 21 1 1 on page 329 for scenarios when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN Refer to Section 42 2 on page 523 for instructions on checking your LAN connection Refer to Section 42 4 on page 524 for instructions on ...

Page 528: ... checking your LAN connection Check that you have enabled web service access If you have configured a secured client IP address your computer s IP address must match it Refer to the chapter on remote management for details Your computer s and the ZyWALL s IP addresses must be on the same subnet for LAN access If you changed the ZyWALL s LAN IP address then enter the new one as the URL Remove any f...

Page 529: ...eption for your device s IP address 42 7 1 1 1 Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 336 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy 2 Clear the Block pop ups check box in the Pop up Bl...

Page 530: ...ave this setting 42 7 1 1 2 Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 531: ...shooting 529 Figure 338 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP address to the list of Allowed sites ...

Page 532: ... Click Close to return to the Privacy screen 6 Click Apply to save this setting 42 7 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab ...

Page 533: ...340 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Click OK to close the window ...

Page 534: ...s Java Scripting 42 7 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window ...

Page 535: ...hooting 533 Figure 342 Security Settings Java 42 7 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 536: ...ZyWALL 5 User s Guide 534 Chapter 42 Troubleshooting Figure 343 Java Sun ...

Page 537: ...t port WAN Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet port DMZ Auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet port Reset Button Restores factory default settings Console RS 232 DB9F Dial Backup RS 232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card Operation Temperature 0º C 50º C Storage Temperature 30º C 60º C Operation Humidity 20 95 RH no...

Page 538: ... Authentication SHA 1 and MD5 IPSec NAT Traversal Xauth User Authentication Internal Database and External RADIUS DH1 2 RSA signature Content Filtering Web page blocking by URL keyword IKE PKI support External database content filtering Java ActiveX Cookie News blocking Traffic Management Guaranteed Maximum Bandwidth Policy based Traffic shaping Priority bandwidth utilization Static Routes System ...

Page 539: ...ol link layer protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Other Features Transparent Firewall Bridge mode Dynamic DNS IP Alias Static Routes Bandwidth Management Table 4 Feature Specifications FEATURE SPECIFICATION Number of Static DHCP Ta...

Page 540: ...ompliant wireless LAN PCMCIA or CardBus card to avoid damage Slide the 64 pin connector end of the PCMCIA or CardBus wireless LAN card into the slot as shown next Note Only certain ZyXEL wireless LAN cards are compatible with the ZyWALL Do not force bend or twist the wireless LAN card Table 5 Compatible ZyXEL WLAN Cards and Security Features B 100 B 101 B 120 G 100 G 110 No Security Yes Yes Yes Ye...

Page 541: ...nications connection generally a computer is DTE Data Terminal Equipment and a modem is DCE Data Circuit terminating Equipment The ZyWALL is DCE when you connect a computer to the console port The ZyWALL is DTE when you connect a modem to the dial backup port 1 Figure 2 Console Dial Backup Port Pin Layout 1 Pins 2 3 and 5 are used ...

Page 542: ...hese pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments ZyWALLs with a CON AUX port also have a 9 pin adaptor for the console cable with these pin assignments on the male end Table 7 North American AC Power Adaptor Specifications AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz 0 25A Output power DC12...

Page 543: ...z Output power DC12Volts 1 2A Power consumption 9 W Plug European Union standards Safety standards TUV CE EN 60950 Table 9 UK AC Power Adaptor Specifications AC Power Adapter model AD 1201200DK Input power AC230Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 10 W Plug United Kingdom standards Safety standards TUV CE EN 60950 BS7002 Table 10 Japan AC Power Adaptor Specifications AC Po...

Page 544: ... 11 Australia and New Zealand AC Power Adaptor Specification AC Power Adapter model AD 1201200Ds or AD 121200DS Input power AC240Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 10 W Plug Australia and New Zealand standards Safety standards NATA AS 3260 ...

Page 545: ... requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that yo...

Page 546: ...icrosoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK I...

Page 547: ...dapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 5 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information...

Page 548: ...e the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gate...

Page 549: ...uter s IP Address 547 Figure 7 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 8 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 550: ...ections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 10 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 551: ...re additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default ...

Page 552: ...e General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 553: ...ork Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Mac...

Page 554: ...ing up Your Computer s IP Address Figure 14 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 15 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 555: ...k Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 16 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the L...

Page 556: ...ng From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 557: ...ss the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for futur...

Page 558: ...ubnetting the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zer...

Page 559: ...e network 192 168 1 0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 168 1 128 with mask 255 255 255 128 Table 15 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 2...

Page 560: ...5 255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Table 17 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 101...

Page 561: ...0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 20 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 111111...

Page 562: ...11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 23 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 24 Class C Subnet Planning NO...

Page 563: ...subnetting The following table is a summary for class B subnet planning Table 25 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 1...

Page 564: ...ZyWALL 5 User s Guide 562 Appendix C IP Subnetting ...

Page 565: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP to use th...

Page 566: ...ss Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the computer and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the compu...

Page 567: ...is that it requires one separate ATM VC per destination Figure 20 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a computer to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network t...

Page 568: ...lity The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Figure 21 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the computer and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an RFC...

Page 569: ...ssage Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 570: ...ZyWALL 5 User s Guide 568 Appendix E PPTP ...

Page 571: ...ZyWALL 5 User s Guide 569 ...

Page 572: ...ZyWALL 5 User s Guide 570 ...

Page 573: ...dependent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 23 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is...

Page 574: ...ection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the same ESS ...

Page 575: ...however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each...

Page 576: ...n It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra n...

Page 577: ...ble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in noisy networks Select Dynamic to have the AP automatically use short preamble when all wireless stations support it otherwise the AP uses lo...

Page 578: ...s stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network ...

Page 579: ...s also encrypted to protect the network from unauthorized access EAP Authentication EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perform au...

Page 580: ...ication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless stations for mutual authentication The server pres...

Page 581: ...P GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access points must...

Page 582: ...g the AP s default WEP key If the decrypted message matches the challenge text the wireless station is authenticated When your device authentication method is set to open system it will only accept open system authentication requests The same is true for shared key authentication However when it is set to auto authentication the device will accept either type of authentication request and the devi...

Page 583: ...grity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data en...

Page 584: ...essing attacks but it s still an improvement over WEP as it employs an easier to use consistent single alphanumeric password Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Roaming A wireless statio...

Page 585: ... the change The new information is then propagated to the other access points on the LAN An example is shown in Figure 29 If the roaming feature is not enabled on the access points information is not communicated between the access points when a wireless station moves between coverage areas The wireless station may not be able to communicate with other wireless stations on the network and vice ver...

Page 586: ...x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station 3 The adjacent access points should use different radio channels when their coverage areas overlap 4 All access points must use the same port number to relay roaming information 5 The access points must be connected to the Ethernet and be able to get ...

Page 587: ...ng data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the SYN packet through...

Page 588: ...aces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet to Gateway B which is in the...

Page 589: ...his ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Figure 33 Gateways on the WAN Side How To Configure Triangle Route 1 From the SMT main menu enter 24 2 Enter 8 in menu 24 to enter CI command mode 3 Use the following command to allow triangle route sys firewall ignore triangle all on or this command to disallow triangle route sys f...

Page 590: ...ZyWALL 5 User s Guide 588 Appendix G Triangle Route ...

Page 591: ...as a SIP address A complete SIP identity is called a SIP URI Uniform Resource Identifier A SIP account s URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail account The format of a SIP identity is SIP Number SIP Service Domain SIP Number The SIP number is the part of the SIP URI that comes before the symbol A SIP number can use letters like in an e mai...

Page 592: ...ends SIP requests A SIP server responds to the SIP requests When you use SIP to make a VoIP call it originates at a client and terminates at a server A SIP client could be a computer or a SIP phone One device can act as both a SIP client and a SIP server SIP User Agent Server A SIP user agent server can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communic...

Page 593: ...ess to an IP address and sends the translated IP address back to the device that sent the request Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example you want to use client device A to call someone who is using client device C 1 Client device...

Page 594: ... through NAT by examining and translating IP addresses embedded in the data stream When a VoIP device SIP client behind the SIP ALG registers with the SIP register server the SIP ALG translates the device s private IP address inside the SIP data stream to a public IP address You do not need to use STUN if your VoIP device is behind the SIP ALG STUN STUN Simple Traversal of User Datagram Protocol U...

Page 595: ...L dynamically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN The SIP ALG on the ZyWALL supports all NAT mapping types including One to One Many to One Many to Many Overload and Many One to One SIP ALG and Firewall The ZyWALL creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN The firewall rule is crea...

Page 596: ...le behind the ZyWALL without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling Session Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no call during the ZyW...

Page 597: ...manually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Remote Gateway Address to 0 0 0 0 A single dynamic rule can support multiple simultaneous incoming IPSec connections All users of a dynamic rule have the same pre shared key You may need to change the pre shared key if one of the users leaves See the support no...

Page 598: ... Address settings with your own values VPN Configuration This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the following screen Click the add gateway policy icon to add an IPSec rule or gateway policy Figure 38 VPN Rules 2 Configure the screens in the headquarters and the branch office as follows and click Apply The pre shared key must be exactly...

Page 599: ...ZyWALL 5 User s Guide Appendix I VPN Setup 597 Figure 39 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router ...

Page 600: ...Guide 598 Appendix I VPN Setup Figure 40 Branch Office Gateway Policy Edit 3 Click the add network policy icon next to the BRANCH gateway policy to configure a VPN policy The IP address of the headquarters IPSec router ...

Page 601: ...yWALL 5 User s Guide Appendix I VPN Setup 599 Figure 41 Headquarters VPN Rule Figure 42 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply ...

Page 602: ...ZyWALL 5 User s Guide 600 Appendix I VPN Setup Figure 43 Headquarters Network Policy Edit IP addresses on different subnets Activate the network policy ...

Page 603: ...twork Policy Edit Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel click the dial icon in the VPN Rules IKE screen to have the IPSec routers set up the tunnel IP addresses on different subnets Activate the network policy ...

Page 604: ... Guide 602 Appendix I VPN Setup Figure 45 VPN Rule Configured The following screen displays Figure 46 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel Figure 47 VPN Tunnel Established ...

Page 605: ...routers Check the settings in each field methodically and slowly VPN Log The system log can often help to identify a configuration problem Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends clear the log and then build the tunnel View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24 8 See Appendix Q on page 639 ...

Page 606: ...6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 11 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Start Phase 2 Quick Mode 12 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 13 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Phase 1 IKE SA process done 14 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC51...

Page 607: ...ll ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec debug level 3 ras ipsec dial 1 get_ipsec_sa_by_policyIndex Start dialing for tunnel rule 1 ikeStartNegotiate saIndex 0 peerIp 5 1 2 3 protocol IPSEC_ESP 3 peer Ip 5 1 2 3 initiator type IPSEC_ESP exch Main initiator protocol IPSEC_ESP exchange mode Main mode find_ipsec_sa find ipsec sa...

Page 608: ...u were at the office instead of connected through the Internet FTP Example The following example shows a text based login from a branch office computer to an FTP server behind the remote IPSec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 39 on page 597 C Documents and Settings Administrator ftp 192 168 10 33 Connected...

Page 609: ...Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority import the certificate authority s certificate into your operati...

Page 610: ...pendix J Importing Certificates Figure 51 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 52 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 611: ...Importing Certificates 609 Figure 53 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 54 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 612: ...ZyWALL 5 User s Guide 610 Appendix J Importing Certificates Figure 55 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 56 Root Certificate Store ...

Page 613: ...ds a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 614: ... CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 615: ... wizard as shown earlier in this appendix Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 616: ...cate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 61 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 617: ...rt Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 63 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 618: ...6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 66 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even if...

Page 619: ...ZyWALL 5 User s Guide Appendix J Importing Certificates 617 Figure 67 SSL Client Authentication 3 You next see the ZyWALL login screen Figure 68 ZyWALL Secure Login Screen ...

Page 620: ...ZyWALL 5 User s Guide 618 Appendix J Importing Certificates ...

Page 621: ...nit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of net...

Page 622: ...ZyWALL 5 User s Guide 620 Appendix K Command Interpreter ...

Page 623: ...onfig display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears config display firewall set set rule rule This command ...

Page 624: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyWALL is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send alert yes no T...

Page 625: ...h the same destination where the ZyWALL starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp...

Page 626: ...command sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyWALL sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule srcaddr single ip address This command sets the rule to have the ZyWALL check for traffic w...

Page 627: ... a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check for UDP traffic with this destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port T...

Page 628: ...ZyWALL 5 User s Guide 626 Appendix L Firewall Commands ...

Page 629: ...ng of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ and from the DMZ to the WAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate calls...

Page 630: ...r dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 1 Between LAN and DMZ 2 Between WAN and DMZ 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and block NetBIOS ...

Page 631: ...er s Guide Appendix M NetBIOS Filter Commands 629 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls ...

Page 632: ...ZyWALL 5 User s Guide 630 Appendix M NetBIOS Filter Commands ...

Page 633: ... name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the key size It has to be an integer from 512 to 2048 The default is 1024 bits create scep_enroll name CA addr CA cert auth key subje...

Page 634: ...ive name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to copy and paste name specifies the name of the certificate to be exported view name View the information of the specified local host certificate name specifies the name of the certificate to be viewed...

Page 635: ...rusted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies the new name as which the certificate is to be saved crl_issuer name on off Specify whether or not the specified CA issues CRL name specifies the name of the CA certificate on off specifies whether or ...

Page 636: ...rd if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory service name specifies the name of the directory server to be viewed edit name addr port login pswd Edit the specified directory service name specifies the name of the directory server to be edited addr p...

Page 637: ...on on the command structure Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Table 33 Brute Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off t...

Page 638: ...ZyWALL 5 User s Guide 636 Appendix O Brute Force Password Guessing Protection ...

Page 639: ...module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the firmware The ATSH com...

Page 640: ...mon Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATTD d...

Page 641: ...sful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Conne...

Page 642: ...he max number of session per host This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host setNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings readNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings WAN connection is down A WAN connection is ...

Page 643: ...e maximum sessions per host Firewall allowed a packet that matched a NAT session TCP UDP A packet from the WAN TCP or UDP matched a cone NAT session and the device forwarded it to the LAN Table 37 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack the TCP incomplete count is per destination host Exc...

Page 644: ...d set d rule d Attempted access matched a configured filter rule denoted by its set and rule number and was blocked or forwarded according to the rule Table 39 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy ICMP Packet Direction type d code d ICMP access matched the default policy and was blocked or forwarded according to the user s setting Firewall rule NOT match ICMP Packet Direction ...

Page 645: ...he PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp IPCP Starting The PPP connection s Internet Protocol Control Protocol stage is starting ppp IPCP Opening The PPP connection s Internet Protocol Control Protocol ...

Page 646: ...er is not on according to the time schedule or you didn t select the Block Matched Web Site checkbox the system forwards the web content Waiting content filter server timeout The external content filtering server did not respond within the timeout period DNS resolving failed The ZyWALL cannot get the IP address of the external content filtering via DNS query Creating socket failed The ZyWALL canno...

Page 647: ...ity ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP type d code d The firewall detected an ICMP traceroute attack ports scan UDP The firewall detected a UDP port scan attack Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack I...

Page 648: ...less station associated with the device WLAN STA Association List Full The maximum number of associated wireless clients has been reached WLAN STA Association Again The SSID and time of association were updated for an wireless station that was already associated Table 47 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence n...

Page 649: ...A process done The phase 1 IKE SA process has been completed Duplicate requests with the same cookie The router received multiple requests from the same peer while still processing the first IKE packet from the peer IKE Negotiation is in process The router has already started negotiating with the peer for the connection but the IKE process has not finished yet No proposal chosen Phase 1 or phase 2...

Page 650: ...ase 1 ID contents do not match Configured Peer ID Content Configured Peer ID Content The phase 1 ID contents do not match and the configured Peer ID Content is displayed Incoming ID Content Incoming Peer ID Content The phase 1 ID contents do not match and the incoming packet s ID content is displayed Unsupported local ID Type d The phase 1 ID type is not supported by the router Build Phase 1 ID Th...

Page 651: ... Phase 1 hash mismatch The listed rule s IKE phase 1 hash did not match between the router and the peer Rule d Phase 1 preshared key mismatch The listed rule s IKE phase 1 pre shared key did not match between the router and the peer Rule d Tunnel built successfully The listed rule s IPSec tunnel has been built successfully Rule d Peer s public key not found The listed rule s IKE phase 1 peer s pub...

Page 652: ...uer name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer name as recorded from the LDAP server whose address and port are recorded in the Source field Failed to decode the received ca cert The router received a corrupted certification authority certificate...

Page 653: ...tical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not c...

Page 654: ...Database does not support authentication mothed A user tried to use an authentication method that the local user database does not support it only supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the RADIUS server please check the RADIUS server Use Local User Database to authenticate user The local user database is operating as the authentication s...

Page 655: ...was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service an...

Page 656: ... message is sent by the system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the Log Settings screen The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this appendix The devID is the MAC address of the router s LAN port The cat is the same as the c...

Page 657: ...f the log categories Figure 71 Displaying Log Categories Example 3 Use sys logs category followed by a log category to display the parameters that are available for the category KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 55 RFC 2408 ISAKMP Payload Types continued LOG DISPLAY PAY...

Page 658: ...ailable with every category 5 Use the sys logs save command to store the settings in the ZyWALL you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyWALL s log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an indi...

Page 659: ...ACCESS BLOCK Firewall default policy IGMP W to W ZW 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W ZW 2 06 08 2004 05 58 20 172 21 0 2 239 255 255 254 ACCESS BLOCK Firewall default policy IGMP W to W ZW 3 06 08 2004 05 58 20 172 21 3 191 224 0 1 22 ACCESS BLOCK Firewall default policy IGMP W to W ZW 4 06 08 2004 05 58 20 172 21 0 254 224 0 0 1 AC...

Page 660: ...ZyWALL 5 User s Guide 658 Appendix Q Log Descriptions ...

Page 661: ...Mbps Ethernet DMZ 46 auto negotiation 45 46 AWG 3 B Backup 384 492 Backup WAN 46 Bandwidth Borrowing 305 Bandwidth Class 301 Bandwidth Filter 301 311 Bandwidth Management 47 301 Bandwidth Management Statistics 312 Bandwidth Manager Class Configuration 309 Bandwidth Manager Class Setup 308 Bandwidth Manager Monitor 313 Bandwidth Manager Summary 306 Basement 3 Blocking Time 182 183 184 Bridge Protoc...

Page 662: ...Destination Address 165 DHCP 66 85 88 98 326 371 417 DHCP Dynamic Host Configuration Protocol 50 DHCP Ethernet Setup 416 DHCP Table 66 Diagnostic 487 Dial Timeout 407 Diffie Hellman Key Groups 226 DMZ IP Alias 428 IP Alias Setup 429 Port Filter Setup 427 Setup 427 428 TCP IP Setup 428 DNS 349 DNS Server For VPN Host 318 Domain Name 290 371 482 DoS Basics 153 Types 154 DoS Denial of Service 48 Drop...

Page 663: ...Maintenance 491 Flow Control 389 Fragmentation Threshold 574 Fragmentation threshold 574 France Contact Information 5 FTP 290 326 329 344 493 517 File Upload 501 GUI based Clients 494 Restoring Files 497 FTP File Transfer 500 FTP Restrictions 329 494 517 FTP Server 51 454 Full Network Management 51 G Gas Pipes 3 Gateway IP Addr 437 Gateway IP Address 424 442 General Setup 371 397 Germany Contact I...

Page 664: ...24 K Key Fields For Configuring Rules 165 L LAN IP Address 367 369 LAN Port Filter Setup 415 LAN Setup 415 416 LAN TCP IP 85 LAN to WAN Rules 166 LAND 154 155 Lightning 3 Link type 59 62 99 Liquids Corrosive 3 Local 281 Log 483 Log Facility 484 Logging 51 Login Name 424 Login Screen 390 M MAC Address 404 MAC Address Filter Action 422 MAC Address Filtering 119 MAC service data unit 421 Main Menu 39...

Page 665: ...pening 3 Outgoing Protocol Filters 420 Outside 281 P Packet Filtering 49 161 Packet Filtering Firewalls 151 Pairwise Master Key PMK 581 PAP 408 435 Password 372 390 395 424 477 Path cost 96 PCMCIA Port 46 Perfect Forward Secrecy 226 Period hr 408 435 Ping 489 Ping of Death 154 Pipes 3 Point to Point Tunneling Protocol 72 291 Point to Point Tunneling ProtocolSee PPTP 131 Pool 3 POP3 153 290 Port Fo...

Page 666: ...nts 584 Root bridge 96 Root Class 308 Route 433 RTC 511 RTCSee Real Time Chip 46 RTP 592 RTS Request To Send 574 RTS Request To Send threshold 109 RTS Threshold 573 574 RTS CTS handshake 421 Rules 163 166 Checklist 164 Creating Custom 163 Key Fields 165 LAN to WAN 166 Logic 164 S SA Security Association 213 Saving the State 157 Schedule Sets Duration 520 Scheduler 303 307 Schedules 433 435 436 Sec...

Page 667: ...2 495 503 504 507 509 510 512 513 System Management Terminal 390 System Name 372 397 System Statistics 65 System Status 479 System Timeout 330 T TCP Maximum Incomplete 182 183 184 TCP Security 159 TCP IP 153 154 343 409 416 418 428 436 468 469 471 474 Setup 418 TCP IP and DHCP Setup 416 TCP IP filter rule 468 Teardrop 154 Telecommunication Line Cord 3 Telephone 5 Telnet 343 Telnet Configuration 34...

Page 668: ... 488 489 WAN Setup 121 403 WAN to LAN Rules 166 Warnings 3 Water 3 Water Pipes 3 Web 343 Web Configurator 55 58 152 161 165 462 Web Site 5 Web Site Hits 367 368 WEP Encryption 49 111 116 118 WEP encryption 579 Wet Basement 3 Wireless LAN 46 Wireless LAN MAC Address Filtering 49 Wireless LAN Setup 420 Wizard Setup 69 WLAN Interference 573 Security parameters 582 Worldwide Contact Information 5 WWW ...