Page 1 ZyWALL 5/35/70 Series Internet Security Appliance User’s Guide Version 4.01 7/2006 Edition 1...
Page 4: Certifications
ZyWALL 5/35/70 Series User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5: Safety Warnings
ZyWALL 5/35/70 Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. •...
Page 6 ZyWALL 5/35/70 Series User’s Guide This product is recyclable. Dispose of it properly. Safety Warnings...
Page 7: Zyxel Limited Warranty
ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...
Page 8: Customer Support
• Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. CORPORATE www.europe.zyxel.com 6 Innovation Road II HEADQUARTERS Science Park sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Hsinchu 300 (WORLDWIDE) Taiwan ftp.europe.zyxel.com...
Page 9 METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S Nils Hansens vei 13 NORWAY sales@zyxel.no +47-22-80-61-81 0667 Oslo Norway info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications ul. Okrzei 1A...
Page 10 ZyWALL 5/35/70 Series User’s Guide Customer Support...
Page 11: Table Of Contents
ZyWALL 5/35/70 Series User’s Guide Table of Contents Copyright ........................3 Certifications ......................4 Safety Warnings ....................... 5 ZyXEL Limited Warranty..................7 Customer Support....................8 Table of Contents ....................11 List of Figures ......................31 List of Tables ......................45 Preface ........................
Page 12 ZyWALL 5/35/70 Series User’s Guide 2.4.5 Navigation Panel ..................78 2.4.6 Port Statistics ...................83 2.4.7 Show Statistics: Line Chart ................84 2.4.8 DHCP Table Screen ................85 2.4.9 VPN Status ....................86 2.4.10 Bandwidth Monitor ..................87 Chapter 3 Wizard Setup ......................89 3.1 Wizard Setup Overview ..................89 3.2 Internet Access ....................90 3.2.1 ISP Parameters ..................90 3.2.1.1 Ethernet ...................90...
Page 13 ZyWALL 5/35/70 Series User’s Guide Chapter 6 LAN Screens......................129 6.1 LAN, WAN and the ZyWALL ................129 6.2 IP Address and Subnet Mask ................129 6.2.1 Private IP Addresses ................130 6.3 DHCP .......................131 6.3.1 IP Pool Setup ..................131 6.4 RIP Setup ......................131 6.5 Multicast ......................131 6.6 WINS ........................132 6.7 LAN ........................132...
Page 14 ZyWALL 5/35/70 Series User’s Guide 8.8 WAN Route ......................157 8.9 WAN IP Address Assignment ................159 8.10 DNS Server Address Assignment ..............159 8.11 WAN MAC Address ..................160 8.12 WAN ......................160 8.12.1 WAN Ethernet Encapsulation ...............160 8.12.2 PPPoE Encapsulation ................163 8.12.3 PPTP Encapsulation ................166 8.13 Traffic Redirect ..................170 8.14 Configuring Traffic Redirect ................170...
Page 15 ZyWALL 5/35/70 Series User’s Guide 10.9.1 Introduction to RADIUS ................200 10.9.1.1 Types of RADIUS Messages ............200 10.9.2 EAP Authentication Overview ...............201 10.10 Dynamic WEP Key Exchange ..............202 10.11 Introduction to WPA ..................202 10.11.1 User Authentication ................202 10.11.2 Encryption ...................202 10.12 WPA-PSK Application Example ..............203 10.13 Introduction to RADIUS ................204 10.14 WPA with RADIUS Application Example ............204 10.15 Wireless Client WPA Supplicants ..............205...
Page 16 ZyWALL 5/35/70 Series User’s Guide 11.13.1 Firewall Edit Custom Service ..............245 11.14 My Service Firewall Rule Example ...............246 Chapter 12 Intrusion Detection and Prevention (IDP) ............251 12.1 Introduction to IDP ..................251 12.1.1 Firewalls and Intrusions ................251 12.1.2 IDS and IDP ..................252 12.1.3 Host IDP ....................252 12.1.4 Network IDP ..................252 12.1.5 Example Intrusions ................253...
Page 17 ZyWALL 5/35/70 Series User’s Guide 14.2.2 Notes About the ZyWALL Anti-Virus .............273 14.3 General Anti-Virus Setup ................274 14.4 Signature Searching ..................276 14.4.1 Signature Search Example ..............278 14.5 Signature Update ..................281 14.5.1 mySecurityZone ..................281 14.5.2 Configuring Anti-virus Update ..............281 14.6 Backup and Restore ..................283 Chapter 15 Anti-Spam ......................
Page 18 ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports ..................315 17.1 Checking Content Filtering Activation ............315 17.2 Viewing Content Filtering Reports ..............315 17.3 Web Site Submission ..................320 Chapter 18 IPSec VPN ......................323 18.1 IPSec VPN Overview ...................323 18.1.1 IKE SA Overview ..................324 18.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router ...324 18.2 VPN Rules (IKE) ....................325...
Page 19 ZyWALL 5/35/70 Series User’s Guide 18.16.1 Hub-and-spoke VPN Example ............360 18.16.2 Hub-and-spoke Example VPN Rule Addresses .........360 18.16.3 Hub-and-spoke VPN Requirements and Suggestions ......361 Chapter 19 Certificates......................363 19.1 Certificates Overview ..................363 19.1.1 Advantages of Certificates ..............364 19.2 Self-signed Certificates ..................364 19.3 Verifying a Certificate ..................364 19.3.1 Checking the Fingerprint of a Certificate on Your Computer ....364 19.4 Configuration Summary .................365...
Page 20 ZyWALL 5/35/70 Series User’s Guide 21.1.5 Port Restricted Cone NAT ..............398 21.1.6 NAT Mapping Types ................398 21.2 Using NAT ......................399 21.2.1 SUA (Single User Account) Versus NAT ..........399 21.3 NAT Overview Screen ..................400 21.4 NAT Address Mapping .................401 21.4.1 NAT Address Mapping Edit ..............403 21.5 Port Forwarding .....................404 21.5.1 Default Server IP Address ..............405 21.5.2 Port Forwarding: Services and Port Numbers ........405...
Page 21 ZyWALL 5/35/70 Series User’s Guide 24.7.5 Maximize Bandwidth Usage Example ..........426 24.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 427 24.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ... 24.8 Bandwidth Borrowing ..................428 24.8.1 Bandwidth Borrowing Example .............428 24.9 Maximize Bandwidth Usage With Bandwidth Borrowing ........429 24.10 Over Allotment of Bandwidth ................429 24.11 Configuring Summary ...................430 24.12 Configuring Class Setup...
Page 22 ZyWALL 5/35/70 Series User’s Guide 26.4.2 Netscape Navigator Warning Messages ..........456 26.4.3 Avoiding the Browser Warning Messages ..........457 26.4.4 Login Screen ..................457 26.5 SSH ......................460 26.6 How SSH Works ....................460 26.7 SSH Implementation on the ZyWALL .............461 26.7.1 Requirements for Using SSH ..............462 26.8 Configuring SSH ....................462 26.9 Secure Telnet Using SSH Examples ..............463 26.9.1 Example 1: Microsoft Windows .............463...
Page 23 ZyWALL 5/35/70 Series User’s Guide 28.1.2 ALG and the Firewall ................485 28.1.3 ALG and Multiple WAN .................485 28.2 FTP ........................486 28.3 H.323 ......................486 28.4 RTP ........................486 28.4.1 H.323 ALG Details ................486 28.5 SIP .........................488 28.5.1 STUN ....................488 28.5.2 SIP ALG Details ..................488 28.5.3 SIP Signaling Session Timeout ............489 28.5.4 SIP Audio Session Timeout ..............489 28.6 ALG Screen ....................489...
Page 24 ZyWALL 5/35/70 Series User’s Guide 31.5.2 Time Server Synchronization ..............536 31.6 Introduction To Transparent Bridging .............537 31.7 Transparent Firewalls ..................538 31.8 Configuring Device Mode (Router) ..............539 31.9 Configuring Device Mode (Bridge) ..............540 31.10 F/W Upload Screen ..................542 31.11 Backup and Restore ..................544 31.11.1 Backup Configuration ................544 31.11.2 Restore Configuration .................545 31.11.3 Back to Factory Defaults ..............546...
Page 25 ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Setup......................575 35.1 Introduction to LAN Setup ................575 35.2 Accessing the LAN Menus ................575 35.3 LAN Port Filter Setup ..................575 35.4 TCP/IP and DHCP Ethernet Setup Menu ............576 35.4.1 IP Alias Setup ..................579 Chapter 36 Internet Access ....................
Page 26 ZyWALL 5/35/70 Series User’s Guide 40.3 Remote Node Profile Setup ................600 40.3.1 Ethernet Encapsulation .................600 40.3.2 PPPoE Encapsulation ................602 40.3.2.1 Outgoing Authentication Protocol ..........602 40.3.2.2 Nailed-Up Connection ..............602 40.3.2.3 Metric ..................603 40.3.3 PPTP Encapsulation ................603 40.4 Edit IP ......................604 40.5 Remote Node Filter ..................606 40.6 Traffic Redirect ....................607 Chapter 41 IP Static Route Setup ...................
Page 27 ZyWALL 5/35/70 Series User’s Guide 44.2 Configuring a Filter Set ..................636 44.2.1 Configuring a Filter Rule ...............637 44.2.2 Configuring a TCP/IP Filter Rule ............638 44.2.3 Configuring a Generic Filter Rule ............640 44.3 Example Filter ....................642 44.4 Filter Types and NAT ..................644 44.5 Firewall Versus Filters ..................644 44.5.1 Packet Filtering: ..................645 44.5.1.1 When To Use Filtering ..............645...
Page 28 ZyWALL 5/35/70 Series User’s Guide 47.3.4 GUI-based FTP Clients .................666 47.3.5 File Maintenance Over WAN ..............666 47.3.6 Backup Configuration Using TFTP ............667 47.3.7 TFTP Command Example ..............667 47.3.8 GUI-based TFTP Clients ..............668 47.3.9 Backup Via Console Port ..............668 47.4 Restore Configuration ..................669 47.4.1 Restore Using FTP ................669 47.4.2 Restore Using FTP Session Example ..........671 47.4.3 Restore Via Console Port ..............671...
Page 29 ZyWALL 5/35/70 Series User’s Guide 50.3 IP Policy Routing Example ................695 Chapter 51 Call Scheduling ....................699 51.1 Introduction to Call Scheduling ..............699 Chapter 52 Troubleshooting ....................703 52.1 Problems Starting Up the ZyWALL ..............703 52.2 Problems with the LAN Interface ..............703 52.3 Problems with the DMZ Interface ..............704 52.4 Problems with the WAN Interface ..............704 52.5 Problems Accessing the ZyWALL ..............705...
Page 30 ZyWALL 5/35/70 Series User’s Guide Importing Certificates ..................787 Appendix K Command Interpreter................... 799 Appendix L Firewall Commands ..................... 807 Appendix M NetBIOS Filter Commands .................. 813 Appendix N Certificates Commands ..................817 Appendix O Brute-Force Password Guessing Protection............. 821 Appendix P Boot Commands ....................
Page 31: List Of Figures
ZyWALL 5/35/70 Series User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........ 63 Figure 2 VPN Application ....................64 Figure 3 ZyWALL 70 Front Panel ..................64 Figure 4 ZyWALL 35 Front Panel ..................64 Figure 5 ZyWALL 5 Front Panel ..................
Page 32 ZyWALL 5/35/70 Series User’s Guide Figure 38 IDP Configuration for To VPN Traffic ..............114 Figure 39 Firewall Rule for VPN ..................115 Figure 40 SECURITY > VPN > VPN Rules (IKE) .............. 115 Figure 41 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ......
Page 33 ZyWALL 5/35/70 Series User’s Guide Figure 81 DMZ Public Address Example ................186 Figure 82 DMZ Private and Public Address Example ............187 Figure 83 NETWORK > DMZ > Port Roles ................ 188 Figure 84 NETWORK > WLAN ..................190 Figure 85 NETWORK >...
Page 34 ZyWALL 5/35/70 Series User’s Guide Figure 123 Firewall Edit Custom Service ................245 Figure 124 My Service Firewall Rule Example: Service ............ 246 Figure 125 My Service Firewall Rule Example: Edit Custom Service ........ 247 Figure 126 My Service Firewall Rule Example: Rule Summary .......... 247 Figure 127 My Service Firewall Rule Example: Rule Edit ..........
Page 35 ZyWALL 5/35/70 Series User’s Guide Figure 166 Requested URLs Example ................320 Figure 167 Web Page Review Process Screen ..............321 Figure 168 VPN: Example ....................323 Figure 169 VPN: IKE SA and IPSec SA ................324 Figure 170 Gateway and Network Policies ................ 325 Figure 171 IPSec Fields Summary ...................
Page 36 ZyWALL 5/35/70 Series User’s Guide Figure 209 SECURITY > AUTH SERVER > RADIUS ............393 Figure 210 How NAT Works ....................396 Figure 211 NAT Application With IP Alias ................397 Figure 212 Port Restricted Cone NAT Example ..............398 Figure 213 ADVANCED >...
Page 37 ZyWALL 5/35/70 Series User’s Guide Figure 252 SSH Example 1: Store Host Key ............... 463 Figure 253 SSH Example 2: Test ..................464 Figure 254 SSH Example 2: Log in ..................464 Figure 255 Secure FTP: Firmware Upload Example ............465 Figure 256 Telnet Configuration on a TCP/IP Network ............
Page 38 ZyWALL 5/35/70 Series User’s Guide Figure 294 You can use the firewall and VPN in bridge mode.MAINTENANCE > Device Mode (Bridge Mode) ......................541 Figure 295 MAINTENANCE > Firmware Upload ..............542 Figure 296 Firmware Upload In Process ................543 Figure 297 Network Temporarily Disconnected ..............
Page 39 ZyWALL 5/35/70 Series User’s Guide Figure 336 Menu 6: Route Setup ..................589 Figure 337 Menu 6.1: Route Assessment ................589 Figure 338 Menu 6.2: Traffic Redirect ................. 590 Figure 339 Menu 6.3: Route Failover .................. 591 Figure 340 Menu 7.1: Wireless Setup ................. 593 Figure 341 Menu 7.1.1: WLAN MAC Address Filter ............
Page 40 ZyWALL 5/35/70 Series User’s Guide Figure 378 Example 4: Menu 15.1.1: Address Mapping Rules ........... 628 Figure 379 Menu 15.3.1: Trigger Port Setup ............... 629 Figure 380 Menu 21: Filter and Firewall Setup ..............631 Figure 381 Menu 21.2: Firewall Setup ................632 Figure 382 Outgoing Packet Filtering Process ..............
Page 41 ZyWALL 5/35/70 Series User’s Guide Figure 421 Telnet Into Menu 24.7.2: System Maintenance ..........673 Figure 422 FTP Session Example of Firmware File Upload ..........674 Figure 423 Menu 24.7.1 As Seen Using the Console Port ..........676 Figure 424 Example Xmodem Upload ................676 Figure 425 Menu 24.7.2 As Seen Using the Console Port ..........
Page 42 ZyWALL 5/35/70 Series User’s Guide Figure 464 Windows XP: Control Panel: Network Connections: Properties ....... 734 Figure 465 Windows XP: Local Area Connection Properties ..........734 Figure 466 Windows XP: Internet Protocol (TCP/IP) Properties ......... 735 Figure 467 Windows XP: Advanced TCP/IP Properties ............736 Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties .........
Page 43 ZyWALL 5/35/70 Series User’s Guide Figure 507 IKE/IPSec Debug Example ................785 Figure 508 Security Certificate .................... 787 Figure 509 Login Screen ..................... 788 Figure 510 Certificate General Information before Import ........... 788 Figure 511 Certificate Import Wizard 1 ................789 Figure 512 Certificate Import Wizard 2 ................
Page 44 ZyWALL 5/35/70 Series User’s Guide List of Figures...
Page 45: List Of Tables
ZyWALL 5/35/70 Series User’s Guide List of Tables Table 1 ZyWALL Model Specific Features ................. 55 Table 2 Front Panel Lights ....................64 Table 3 Title Bar: Web Configurator Icons ................70 Table 4 Web Configurator HOME Screen in Router Mode ..........71 Table 5 Web Configurator HOME Screen in Bridge Mode ..........
Page 46 ZyWALL 5/35/70 Series User’s Guide Table 39 Example of Network Properties for LAN Servers with Fixed IP Addresses ..160 Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) ......... 161 Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) ........... 165 Table 42 NETWORK >...
Page 47 ZyWALL 5/35/70 Series User’s Guide Table 82 SECURITY > ANTI-VIRUS > General ..............275 Table 83 SECURITY > ANTI-VIRUS > Signature: Query View .......... 277 Table 84 SECURITY > ANTI-SPAM > General ..............290 Table 85 SECURITY > ANTI-SPAM > External DB ............293 Table 86 SECURITY >...
Page 48 ZyWALL 5/35/70 Series User’s Guide Table 125 Services and Port Numbers ................405 Table 126 ADVANCED > NAT > Port Forwarding .............. 408 Table 127 ADVANCED > NAT > Port Triggering ..............410 Table 128 ADVANCED > STATIC ROUTE > IP Static Route ..........414 Table 129 ADVANCED >...
Page 49 ZyWALL 5/35/70 Series User’s Guide Table 168 TCP Reset Logs ....................512 Table 169 Packet Filter Logs ....................513 Table 170 ICMP Logs ......................513 Table 171 CDR Logs ......................513 Table 172 PPP Logs ......................514 Table 173 UPnP Logs ......................514 Table 174 Content Filtering Logs ..................
Page 50 ZyWALL 5/35/70 Series User’s Guide Table 211 Menu 11.3.2: Remote Node Network Layer Options ......... 571 Table 212 Menu 11.3.3: Remote Node Script ..............574 Table 213 Menu 3.2: DHCP Ethernet Setup Fields ............577 Table 214 Menu 3.2: LAN TCP/IP Setup Fields ..............578 Table 215 Menu 3.2.1: IP Alias Setup ................
Page 51 ZyWALL 5/35/70 Series User’s Guide Table 254 Menu 25: Sample IP Routing Policy Summary ..........691 Table 255 IP Routing Policy Setup ..................692 Table 256 Menu 25.1: IP Routing Policy Setup ..............693 Table 257 Menu 25.1.1: IP Routing Policy Setup ............... 695 Table 258 Schedule Set Setup ...................
Page 52 ZyWALL 5/35/70 Series User’s Guide List of Tables...
Page 53: Preface
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
Page 54: Syntax Conventions
ZyWALL 5/35/70 Series User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
Page 55: Getting To Know Your Zywall
ZyWALL 5/35/70 Series User’s Guide H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), anti-virus and certificates.
Page 56: Physical Features
ZyWALL 5/35/70 Series User’s Guide Table 1 ZyWALL Model Specific Features MODEL # FEATURE Changing Port Roles between the LAN and DMZ Policy Route Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 57: Non-Physical Features
ZyWALL 5/35/70 Series User’s Guide The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention. They allow data transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Page 58 ZyWALL 5/35/70 Series User’s Guide SIP Passthrough The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. STP (Spanning Tree Protocol) / RSTP (Rapid STP) When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers.
Page 59 ZyWALL 5/35/70 Series User’s Guide Firewall The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
Page 60 ZyWALL 5/35/70 Series User’s Guide RADIUS (RFC2138, 2139) The ZyWALL can work with a RADIUS (Remote Authentication Dial In User Service) server for user authentication, authorization and accounting. IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.
Page 61 ZyWALL 5/35/70 Series User’s Guide PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.
Page 62 ZyWALL 5/35/70 Series User’s Guide Network Address Translation (NAT Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 63: Applications For The Zywall
ZyWALL 5/35/70 Series User’s Guide Upgrade ZyWALL Firmware via LAN The firmware of the ZyWALL can be upgraded via the LAN. Embedded FTP and TFTP Servers The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
Page 64: Front Panel Lights
ZyWALL 5/35/70 Series User’s Guide Figure 2 VPN Application 1.3.3 Front Panel Lights Figure 3 ZyWALL 70 Front Panel Figure 4 ZyWALL 35 Front Panel Figure 5 ZyWALL 5 Front Panel The following table describes the lights. Table 2 Front Panel Lights COLOR STATUS DESCRIPTION...
Page 65 ZyWALL 5/35/70 Series User’s Guide Table 2 Front Panel Lights (continued) COLOR STATUS DESCRIPTION CARD Green The wireless LAN is not ready, or has failed. The wireless LAN is ready. Flashing The wireless LAN is sending or receiving packets. LAN 10/100 The LAN/DMZ is not connected.
Page 66 ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyWALL...
Page 67: Introducing The Web Configurator
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 68: Resetting The Zywall
ZyWALL 5/35/70 Series User’s Guide Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
Page 69: Uploading A Configuration File Via Console Port
ZyWALL 5/35/70 Series User’s Guide 1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2. 2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on.
Page 70: Title Bar
ZyWALL 5/35/70 Series User’s Guide Figure 9 HOME Screen As illustrated above, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window • D - status bar 2.4.1 Title Bar The title bar provides some icons in the upper right corner.
Page 71: Main Window
ZyWALL 5/35/70 Series User’s Guide 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE >...
Page 72 ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION System Name This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
Page 73 ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full- duplex refers to a device's ability to send and receive simultaneously, while half- duplex indicates that traffic can flow in only one direction at a time.
Page 74: Home Screen: Bridge Mode
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired. Top 5 Intrusion &...
Page 75: Figure 11 You Can Use The Firewall And Vpn In Bridge Mode.web Configurator Home Screen In Bridge Mode
ZyWALL 5/35/70 Series User’s Guide You can use the firewall and VPN in bridge mode. Figure 11 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 5 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Automatic...
Page 76 ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
Page 77 ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port.
Page 78: Navigation Panel
ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Status Port Statistics Click Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port. Click VPN to display the active VPN connections.
Page 79: Table 7 Screens Summary
ZyWALL 5/35/70 Series User’s Guide Table 6 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Remote Management UPnP Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 80 ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION General This screen allows you to configure load balancing, route priority and traffic redirect properties. Route This screen allows you to configure route priority. (ZyWALL 5 only) WAN (ZyWALL Use this screen to configure the WAN port for internet access.
Page 81 ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Signature Use these screens to view signatures by attack type or search for signatures by signature name, ID, severity, target operating system, action etc.
Page 82 ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION AUTH SERVER Local User Use this screen to configure the local user account(s) on the Database ZyWALL. RADIUS Configure this screen to use an external server to authenticate wireless and/or VPN users.
Page 83: Port Statistics
ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION SYSTEM Reports Use this screen to have the ZyWALL record and display network REPORTS usage reports. THREAT Use this screen to collect and display statistics on the intrusions REPORTS that the ZyWALL has detected.
Page 84: Show Statistics: Line Chart
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 8 HOME > Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port These are the ZyWALL’s interfaces. Status For the WAN and dial backup ports, this displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
Page 85: Dhcp Table Screen
ZyWALL 5/35/70 Series User’s Guide Figure 13 HOME > Show Statistics > Line Chart The following table describes the labels in this screen. Table 9 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding port(s).
Page 86: Vpn Status
ZyWALL 5/35/70 Series User’s Guide Figure 14 HOME > DHCP Table The following table describes the labels in this screen. Table 10 HOME > DHCP Table LABEL DESCRIPTION Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the specified interface.
Page 87: Bandwidth Monitor
ZyWALL 5/35/70 Series User’s Guide Figure 15 HOME > VPN Status The following table describes the labels in this screen. Table 11 HOME > VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 88: Figure 16 Home > Bandwidth Monitor
ZyWALL 5/35/70 Series User’s Guide Figure 16 Home > Bandwidth Monitor The following table describes the labels in this screen. LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class.
Page 89: Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Page 90: Internet Access
ZyWALL 5/35/70 Series User’s Guide Figure 17 Wizard Setup Welcome 3.2 Internet Access The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Page 91: Figure 18 Isp Parameters: Ethernet Encapsulation
ZyWALL 5/35/70 Series User’s Guide Figure 18 ISP Parameters: Ethernet Encapsulation The following table describes the labels in this screen. Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 92: Pppoe Encapsulation
ZyWALL 5/35/70 Series User’s Guide Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION Back Click Back to return to the previous wizard screen. Apply Click Apply to save your changes and go to the next screen. 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
Page 93: Pptp Encapsulation
ZyWALL 5/35/70 Series User’s Guide Table 13 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again for confirmation.
Page 94: Figure 20 Isp Parameters: Pptp Encapsulation
ZyWALL 5/35/70 Series User’s Guide Note: The ZyWALL supports one PPTP server connection at any given time. Figure 20 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation...
Page 95: Internet Access Wizard: Second Screen
ZyWALL 5/35/70 Series User’s Guide Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
Page 96: Internet Access Wizard: Registration
ZyWALL 5/35/70 Series User’s Guide Figure 21 Internet Access Wizard: Second Screen Figure 22 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 21 on page 96), the following screen displays.
Page 97: Figure 23 Internet Access Wizard: Registration
ZyWALL 5/35/70 Series User’s Guide Figure 23 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 15 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available.
Page 98: Figure 24 Internet Access Wizard: Registration In Progress
ZyWALL 5/35/70 Series User’s Guide Figure 24 Internet Access Wizard: Registration in Progress Click Close to leave the wizard screen when the registration and activation are done. Figure 25 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.
Page 99: Vpn Wizard Gateway Setting
ZyWALL 5/35/70 Series User’s Guide Figure 26 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. Figure 27 Internet Access Wizard: Registered Device Figure 28 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting...
Page 100: Figure 29 Vpn Wizard: Gateway Setting
ZyWALL 5/35/70 Series User’s Guide Click VPN SETUP in the Wizard Setup Welcome screen (Figure 17 on page 90) to open the VPN configuration wizard. The first screen displays as shown next. Figure 29 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION...
Page 101: Vpn Wizard Network Setting
ZyWALL 5/35/70 Series User’s Guide Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION Remote Enter the WAN IP address or domain name of the remote IPSec router (secure Gateway gateway) in the field below to identify the remote IPSec router by its IP address or a Address domain name.
Page 102: Figure 30 Vpn Wizard: Network Setting
ZyWALL 5/35/70 Series User’s Guide Figure 30 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 103: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
ZyWALL 5/35/70 Series User’s Guide Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Remote Remote IP addresses must be static and correspond to the remote IPSec router's Network configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses.
Page 104: Vpn Wizard Ipsec Setting (Ike Phase 2)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 18 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 105: Figure 32 Vpn Wizard: Ipsec Setting
ZyWALL 5/35/70 Series User’s Guide Figure 32 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 19 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
Page 106: Vpn Wizard Status Summary
ZyWALL 5/35/70 Series User’s Guide Table 19 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Perfect Forward Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec Secret (PFS) SA setup. This allows faster IPSec setup, but is not so secure. Select DH1 or DH2 to enable PFS.
Page 107: Figure 33 Vpn Wizard: Vpn Status
ZyWALL 5/35/70 Series User’s Guide Figure 33 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 20 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 108 ZyWALL 5/35/70 Series User’s Guide Table 20 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A.
Page 109: Vpn Wizard Setup Complete
ZyWALL 5/35/70 Series User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 34 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
Page 110 ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wizard Setup...
Page 111: Chapter 4 Tutorial
ZyWALL 5/35/70 Series User’s Guide H A P T E R Tutorial This chapter describes how to apply security settings to VPN traffic. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall, IDP, anti-virus, anti-spam and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
Page 112: Figure 35 Idp For From Vpn Traffic
ZyWALL 5/35/70 Series User’s Guide Figure 35 IDP for From VPN Traffic Here is how you would configure this example. 1 Click SECURITY > IDP > General. 2 Select the To LAN column’s first check box (with the interface label) to select all of the To LAN packet directions.
Page 113: Idp For To Vpn Traffic Example
ZyWALL 5/35/70 Series User’s Guide 4.1.2 IDP for To VPN Traffic Example You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL’s VPN tunnels.
Page 114: Firewall Rule For Vpn Example
ZyWALL 5/35/70 Series User’s Guide Figure 38 IDP Configuration for To VPN Traffic 4.2 Firewall Rule for VPN Example The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets. Take the following example.
Page 115: Configuring The Vpn Rule
ZyWALL 5/35/70 Series User’s Guide Figure 39 Firewall Rule for VPN 4.2.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
Page 116: Figure 41 Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy
ZyWALL 5/35/70 Series User’s Guide Figure 41 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. Chapter 4 Tutorial...
Page 117: Figure 42 Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example
ZyWALL 5/35/70 Series User’s Guide Figure 42 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
Page 118: Configuring The Firewall Rules
ZyWALL 5/35/70 Series User’s Guide Figure 43 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.2.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
Page 119: Firewall Rule To Allow Access Example
ZyWALL 5/35/70 Series User’s Guide 4.2.2.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 44 SECURITY >...
Page 120: Figure 45 Security > Firewall > Rule Summary > Edit: Allow
ZyWALL 5/35/70 Series User’s Guide Figure 45 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. Chapter 4 Tutorial...
Page 121: Default Firewall Rule To Block Other Access Example
ZyWALL 5/35/70 Series User’s Guide Figure 46 SECURITY > FIREWALL > Rule Summary: Allow 4.2.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server.
Page 122 ZyWALL 5/35/70 Series User’s Guide Chapter 4 Tutorial...
Page 123: Chapter 5 Registration
ZyWALL 5/35/70 Series User’s Guide H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 124: Registration
ZyWALL 5/35/70 Series User’s Guide You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. You can also check for new signature or virus updates at http://mysecurity.zyxel.com. See the chapters about content filtering, anti-virus, anti-spam and IDP for more information. Note: To update the signature file or use a subscription service, you have to register and activate the corresponding service at myZyXEL.com (through the ZyWALL).
Page 125: Table 21 Registration
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 21 REGISTRATION LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Page 126: Service
ZyWALL 5/35/70 Series User’s Guide Figure 49 REGISTRATION: Registered Device 5.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’s PIN number (license key). Click REGISTRATION > Service to open the screen as shown next.
Page 127: Table 22 Registration > Service
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 22 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 128 ZyWALL 5/35/70 Series User’s Guide Chapter 5 Registration...
Page 129: Chapter 6 Lan Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5 and ZyWALL 35.
Page 130: Private Ip Addresses
ZyWALL 5/35/70 Series User’s Guide Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 131: Dhcp
ZyWALL 5/35/70 Series User’s Guide 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Page 132: Wins
ZyWALL 5/35/70 Series User’s Guide IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Page 133: Figure 52 Network > Lan
ZyWALL 5/35/70 Series User’s Guide Figure 52 NETWORK > LAN The following table describes the labels in this screen. Table 23 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 134 ZyWALL 5/35/70 Series User’s Guide Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 135: Lan Static Dhcp
ZyWALL 5/35/70 Series User’s Guide Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN port 2 and LAN and WAN2 from WAN port 2 to the LAN. If your firewall is enabled with the default policy set to block WAN port 2 to LAN traffic, you also need to enable the default WAN port 2 to LAN firewall rule that forwards NetBIOS traffic.
Page 136: Lan Ip Alias
ZyWALL 5/35/70 Series User’s Guide Figure 53 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 24 NETWORK > LAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN.
Page 137: Figure 54 Physical Network & Partitioned Logical Networks
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 138: Figure 55 Network > Lan > Ip Alias
ZyWALL 5/35/70 Series User’s Guide Figure 55 NETWORK > LAN > IP Alias The following table describes the labels in this screen. Table 25 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Page 139: Lan Port Roles
ZyWALL 5/35/70 Series User’s Guide Table 25 NETWORK > LAN > IP Alias LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
Page 140: Figure 56 Network > Lan > Port Roles
ZyWALL 5/35/70 Series User’s Guide Figure 56 NETWORK > LAN > Port Roles The following table describes the labels in this screen. Table 26 NETWORK > LAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Page 141: Chapter 7 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
Page 142: Spanning Tree Protocol (Stp)
ZyWALL 5/35/70 Series User’s Guide 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Page 143: Stp Port States
ZyWALL 5/35/70 Series User’s Guide STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge.
Page 144: Figure 59 Network > Bridge
ZyWALL 5/35/70 Series User’s Guide Figure 59 NETWORK > Bridge The following table describes the labels in this screen. Table 29 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 145: Bridge Port Roles
ZyWALL 5/35/70 Series User’s Guide Table 29 NETWORK > Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port.
Page 146: Figure 60 Network > Bridge > Port Roles
ZyWALL 5/35/70 Series User’s Guide Figure 60 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 30 NETWORK > Bridge > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. Select a port’s DMZ radio button to use the port as part of the DMZ.
Page 147: Chapter 8 Wan Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. Multiple WAN and load balancing are not available on the ZyWALL 5. 8.1 WAN Overview • Use the WAN General screen to configure load balancing, route priority and traffic redirect properties for the ZyWALL 70 and ZyWALL 35.
Page 148: Load Balancing Introduction
ZyWALL 5/35/70 Series User’s Guide You can select through which WAN port you want to send out traffic from UPnP-enabled applications (see Chapter 27 on page 475). The ZyWALL's DDNS lets you select which WAN interface you want to use for each individual domain name.
Page 149: Example 1
ZyWALL 5/35/70 Series User’s Guide 8.4.1.1 Example 1 The following figure depicts an example where both the WAN ports on the ZyWALL are connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively. Figure 62 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load...
Page 150: Weighted Round Robin
ZyWALL 5/35/70 Series User’s Guide 8.4.2 Weighted Round Robin Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.
Page 151: Tcp/Ip Priority (Metric)
ZyWALL 5/35/70 Series User’s Guide Figure 64 Spillover Algorithm Example 8.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
Page 152: Figure 65 Network > Wan (General)
ZyWALL 5/35/70 Series User’s Guide Figure 65 NETWORK > WAN (General) Chapter 8 WAN Screens...
Page 153: Table 33 Network > Wan (General)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 33 NETWORK > WAN (General) LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN port as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN port (depending on the priorities you configure in the Route Priority fields).
Page 154 ZyWALL 5/35/70 Series User’s Guide Table 33 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity port's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN port's default gateway IP address.
Page 155: Configuring Load Balancing
ZyWALL 5/35/70 Series User’s Guide 8.7 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel. The WAN General screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyWALL. The WAN General screen varies depending on what you select in the Load Balancing Algorithm field.
Page 156: Weighted Round Robin
ZyWALL 5/35/70 Series User’s Guide Table 34 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Available This field is applicable when you select Outbound + Inbound or Inbound Only in Inbound the Load Balancing Index(es) field. Bandwidth Specify the inbound (or downstream) bandwidth (in kilo bites per second) for the interface.
Page 157: Spillover
ZyWALL 5/35/70 Series User’s Guide 8.7.3 Spillover To load balance using the spillover method, select Spillover in the Load Balancing Algorithm field. Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN1 is the primary WAN and WAN2 is the secondary WAN.
Page 158: Figure 69 Network > Wan (Route)
ZyWALL 5/35/70 Series User’s Guide Figure 69 NETWORK > WAN (Route) The following table describes the labels in this screen. Table 37 NETWORK > WAN (Route) LABEL DESCRIPTION Route Priority The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Page 159: Wan Ip Address Assignment
ZyWALL 5/35/70 Series User’s Guide Table 37 NETWORK > WAN (Route) (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to the WAN and WAN and WLAN from the WAN to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the WAN and from the WAN to the WLAN.
Page 160: Wan Mac Address
ZyWALL 5/35/70 Series User’s Guide 1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. 2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
Page 161: Figure 70 Network > Wan > Wan (Ethernet Encapsulation)
ZyWALL 5/35/70 Series User’s Guide Figure 70 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 162 ZyWALL 5/35/70 Series User’s Guide Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login.
Page 163: Pppoe Encapsulation
ZyWALL 5/35/70 Series User’s Guide Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 164: Figure 71 Network > Wan > Wan (Pppoe Encapsulation)
ZyWALL 5/35/70 Series User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task.
Page 165: Table 41 Network > Wan > Wan (Pppoe Encapsulation)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 166: Pptp Encapsulation
ZyWALL 5/35/70 Series User’s Guide Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Page 167: Figure 72 Network > Wan > Wan (Pptp Encapsulation)
ZyWALL 5/35/70 Series User’s Guide PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. Figure 72 NETWORK > WAN > WAN (PPTP Encapsulation) Chapter 8 WAN Screens...
Page 168: Table 42 Network > Wan > Wan (Pptp Encapsulation)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 169 ZyWALL 5/35/70 Series User’s Guide Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Enable NAT Network Address Translation (NAT) allows the translation of an Internet protocol (Network Address address used within one network (for example a private IP address used in a local Translation) network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 170: Traffic Redirect
ZyWALL 5/35/70 Series User’s Guide 8.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. Figure 73 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
Page 171: Configuring Dial Backup
ZyWALL 5/35/70 Series User’s Guide Figure 75 NETWORK > WAN > Traffic Redirect The following table describes the labels in this screen. Table 43 NETWORK > WAN > Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 172: Figure 76 Network > Wan > Dial Backup
ZyWALL 5/35/70 Series User’s Guide Figure 76 NETWORK > WAN > Dial Backup Chapter 8 WAN Screens...
Page 173: Table 44 Network > Wan > Dial Backup
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 44 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 174 ZyWALL 5/35/70 Series User’s Guide Table 44 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
Page 175: Advanced Modem Setup
ZyWALL 5/35/70 Series User’s Guide Table 44 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.16 Advanced Modem Setup 8.16.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
Page 176: Figure 77 Network > Wan > Dial Backup > Edit
ZyWALL 5/35/70 Series User’s Guide Figure 77 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. Table 45 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call.
Page 177 ZyWALL 5/35/70 Series User’s Guide Table 45 NETWORK > WAN > Dial Backup > Edit (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 178 ZyWALL 5/35/70 Series User’s Guide Chapter 8 WAN Screens...
Page 179: Chapter 9 Dmz Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 180: Figure 78 Network > Dmz
ZyWALL 5/35/70 Series User’s Guide Figure 78 NETWORK > DMZ The following table describes the labels in this screen. Table 46 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 181 ZyWALL 5/35/70 Series User’s Guide Table 46 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP- 1 is universally supported but RIP-2 carries more information.
Page 182: Dmz Static Dhcp
ZyWALL 5/35/70 Series User’s Guide Table 46 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between DMZ Select this check box to forward NetBIOS packets from the DMZ to WAN port 2 and WAN 2 and from WAN port 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN port 2 and from WAN port 2 to the DMZ.
Page 183: Dmz Ip Alias
ZyWALL 5/35/70 Series User’s Guide Figure 79 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 47 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
Page 184: Figure 80 Network > Dmz > Ip Alias
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 185: Dmz Public Ip Address Example
ZyWALL 5/35/70 Series User’s Guide Table 48 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Page 186: Dmz Private And Public Ip Address Example
ZyWALL 5/35/70 Series User’s Guide Figure 81 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
Page 187: Dmz Port Roles
ZyWALL 5/35/70 Series User’s Guide Figure 82 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
Page 188: Figure 83 Network > Dmz > Port Roles
ZyWALL 5/35/70 Series User’s Guide Figure 83 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 49 NETWORK > DMZ > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Page 189: Chapter 10 Wireless Lan
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
Page 190: Figure 84 Network > Wlan
ZyWALL 5/35/70 Series User’s Guide Click NETWORK, > WLAN to open the WLAN screen to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. Figure 84 NETWORK > WLAN The following table describes the labels in this screen. Table 50 NETWORK >...
Page 191 ZyWALL 5/35/70 Series User’s Guide Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 192: Wlan Static Dhcp
ZyWALL 5/35/70 Series User’s Guide Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN port 2 WLAN and WAN and from WAN port 2 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN port 2 and from WAN port 2 to the WLAN.
Page 193: Wlan Ip Alias
ZyWALL 5/35/70 Series User’s Guide Figure 85 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 51 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN.
Page 194: Figure 86 Network > Wlan > Ip Alias
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single WLAN interface. Even though more than one of ports 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 195: Wlan Port Roles
ZyWALL 5/35/70 Series User’s Guide Table 52 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Page 196: Figure 87 Wlan Port Role Example
ZyWALL 5/35/70 Series User’s Guide Figure 87 WLAN Port Role Example Note: Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Page 197: Wireless Security
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 53 NETWORK > WLAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
Page 198: Encryption
ZyWALL 5/35/70 Series User’s Guide Figure 90 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator.
Page 199: Restricted Access
ZyWALL 5/35/70 Series User’s Guide 10.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association). 10.6.4 Hide ZyWALL Identity If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs.
Page 200: Overview
ZyWALL 5/35/70 Series User’s Guide 10.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.
Page 201: Eap Authentication Overview
ZyWALL 5/35/70 Series User’s Guide Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know.
Page 202: Dynamic Wep Key Exchange
ZyWALL 5/35/70 Series User’s Guide 10.10 Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.
Page 203: Wpa-Psk Application Example
ZyWALL 5/35/70 Series User’s Guide Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
Page 204: Introduction To Radius
ZyWALL 5/35/70 Series User’s Guide Figure 92 WPA-PSK Authentication 10.13 Introduction to RADIUS The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users. RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server.
Page 205: Wireless Client Wpa Supplicants
ZyWALL 5/35/70 Series User’s Guide Figure 93 WPA with RADIUS Application Example 10.15 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
Page 206: Figure 94 Network > Wireless Card: No Security
ZyWALL 5/35/70 Series User’s Guide Figure 94 NETWORK > WIRELESS CARD: No Security The following table describes the labels in this screen. Table 55 NETWORK > WIRELESS CARD: No Security LABEL DESCRIPTION Enable The wireless LAN through a wireless LAN card is turned off by default, before you Wireless Card enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security;...
Page 207: Static Wep
ZyWALL 5/35/70 Series User’s Guide Table 55 NETWORK > WIRELESS CARD: No Security (continued) LABEL DESCRIPTION Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed Threshold messages. It is the maximum data fragment size that can be sent. Select the check box to change the default value and enter a value between 256 and 2432.
Page 208: Wpa-Psk
ZyWALL 5/35/70 Series User’s Guide Figure 95 NETWORK > WIRELESS CARD: Static WEP The following table describes the wireless LAN security labels in this screen. Table 56 NETWORK > WIRELESS CARD: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized Encryption wireless stations from accessing data transmitted over the wireless network.
Page 209: Figure 96 Network > Wireless Card: Wpa-Psk
ZyWALL 5/35/70 Series User’s Guide Figure 96 NETWORK > WIRELESS CARD: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box. Table 57 NETWORK > WIRELESS CARD: WPA-PSK LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list.
Page 210: Wpa
ZyWALL 5/35/70 Series User’s Guide Table 57 NETWORK > WIRELESS CARD: WPA-PSK (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 10.16.3 WPA Click NETWORK > WIRELESS CARD to display the Wireless Card screen. Select WPA from the Security list.
Page 211: Ieee 802.1X + Dynamic Wep
ZyWALL 5/35/70 Series User’s Guide Table 58 NETWORK > WIRELESS CARD: WPA (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless (Seconds) network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Page 212: Ieee 802.1X + Static Wep
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 59 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select 802.1x + Dynamic WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
Page 213: Figure 99 Network > Wireless Card: 802.1X + Static Wep
ZyWALL 5/35/70 Series User’s Guide Figure 99 NETWORK > WIRELESS CARD: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box. Table 60 NETWORK > WIRELESS CARD: 802.1x + Static WEP LABEL DESCRIPTION Security...
Page 214: Ieee 802.1X + No Wep
ZyWALL 5/35/70 Series User’s Guide Table 60 NETWORK > WIRELESS CARD: 802.1x + Static WEP (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless network (Seconds) after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Page 215: No Access 802.1X + Static Wep
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 61 NETWORK > WIRELESS CARD: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
Page 216: No Access 802.1X + No Wep
ZyWALL 5/35/70 Series User’s Guide Figure 101 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 62 NETWORK >...
Page 217: Mac Filter
ZyWALL 5/35/70 Series User’s Guide 10.17 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 218 ZyWALL 5/35/70 Series User’s Guide Table 63 NETWORK > WIRELESS CARD: MAC Address Filter LABEL DESCRIPTION User Name Enter a descriptive name for the MAC address. Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that Address are allowed or denied access to the ZyWALL in these address fields. Apply Click Apply to save your changes back to the ZyWALL.
Page 219: Chapter 11 Firewall
ZyWALL 5/35/70 Series User’s Guide H A P T E R Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks.
Page 220: Packet Direction Matrix
ZyWALL 5/35/70 Series User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Page 221: Packet Direction Examples
ZyWALL 5/35/70 Series User’s Guide To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown. Figure 105 Default Block Traffic From WAN1 to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 222: To Vpn Packet Direction
ZyWALL 5/35/70 Series User’s Guide By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: •...
Page 223: Figure 106 From Lan To Vpn Example
ZyWALL 5/35/70 Series User’s Guide Figure 106 From LAN to VPN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 107 Block LAN to VPN Traffic by Default Example Chapter 11 Firewall...
Page 224: From Vpn Packet Direction
ZyWALL 5/35/70 Series User’s Guide 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to”...
Page 225: From Vpn To Vpn Packet Direction
ZyWALL 5/35/70 Series User’s Guide Figure 109 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 18.16 on page 359 for details).
Page 226: Security Considerations
ZyWALL 5/35/70 Series User’s Guide Figure 110 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 111 Block VPN to VPN Traffic by Default Example 11.4 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network.
Page 227: Firewall Rules Example
ZyWALL 5/35/70 Series User’s Guide Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3 Does a rule that allows Internet users access to resources on the LAN create a security...
Page 228: Figure 113 Limited Lan To Wan Irc Traffic Example
ZyWALL 5/35/70 Series User’s Guide • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from the LAN, it checks it against the first rule.
Page 229: Asymmetrical Routes
ZyWALL 5/35/70 Series User’s Guide • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules.
Page 230: Firewall Default Rule (Router Mode)
ZyWALL 5/35/70 Series User’s Guide Figure 114 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 115 SECURITY >...
Page 231: Table 66 Security > Firewall > Default Rule (Router Mode)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 66 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 232: Firewall Default Rule (Bridge Mode)
ZyWALL 5/35/70 Series User’s Guide Table 66 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.8 Firewall Default Rule (Bridge Mode) Click SECURITY >...
Page 233: Table 67 Security > Firewall > Default Rule (Bridge Mode)
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 67 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 234: Firewall Rule Summary
ZyWALL 5/35/70 Series User’s Guide Table 67 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Log Broadcast Select this to create a log for any broadcast frames traveling in the selected Frame direction. Many of these logs in a short time period could indicate a broadcast storm. A broadcast storm occurs when a packet triggers multiple responses from all hosts on a network or when computers attempt to respond to a host that never replies.
Page 235: Table 68 Security > Firewall > Rule Summary
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 68 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION Firewall Rules This bar displays the percentage of the ZyWALL’s firewall rules storage space that is Storage Space currently in use.
Page 236: Firewall Edit Rule
ZyWALL 5/35/70 Series User’s Guide 11.9.1 Firewall Edit Rule Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 237: Figure 118 Security > Firewall > Rule Summary > Edit
ZyWALL 5/35/70 Series User’s Guide Figure 118 SECURITY > FIREWALL > Rule Summary > Edit Chapter 11 Firewall...
Page 238: Table 69 Security > Firewall > Rule Summary > Edit
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule.
Page 239: Anti-Probing
ZyWALL 5/35/70 Series User’s Guide Table 69 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 240: Firewall Thresholds
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 70 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests.
Page 241: Threshold Values
ZyWALL 5/35/70 Series User’s Guide 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
Page 242: Table 71 Security > Firewall > Threshold
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds.
Page 243: Service
ZyWALL 5/35/70 Series User’s Guide Table 71 SECURITY > FIREWALL > Threshold (continued) LABEL DESCRIPTION Action taken when Select the action that ZyWALL should take when the TCP maximum incomplete TCP Maximum threshold is reached. You can have the ZyWALL either: Incomplete reached threshold Delete the oldest half open session when a new connection request comes.
Page 244: Figure 122 Security > Firewall > Service
ZyWALL 5/35/70 Series User’s Guide Figure 122 SECURITY > FIREWALL > Service The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. This is the index number of the custom service. Service Name This is the name of the service.
Page 245: Firewall Edit Custom Service
ZyWALL 5/35/70 Series User’s Guide Table 72 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined This table shows all the services that are already configured for use in firewall Service...
Page 246: My Service Firewall Rule Example
ZyWALL 5/35/70 Series User’s Guide Table 73 SECURITY > FIREWALL > Service > Add (continued) LABEL DESCRIPTION Port Range Enter the port number (from 1 to 255) that defines the customized service To specify one port only, enter the port number in the From field and enter it again in the To field.
Page 247: Figure 125 My Service Firewall Rule Example: Edit Custom Service
ZyWALL 5/35/70 Series User’s Guide Figure 125 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 248: Figure 127 My Service Firewall Rule Example: Rule Edit
ZyWALL 5/35/70 Series User’s Guide Figure 127 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Page 249: Figure 128 My Service Firewall Rule Example: Rule Configuration
ZyWALL 5/35/70 Series User’s Guide Figure 128 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Chapter 11 Firewall...
Page 250: Figure 129 My Service Firewall Rule Example: Rule Summary
ZyWALL 5/35/70 Series User’s Guide Figure 129 My Service Firewall Rule Example: Rule Summary Chapter 11 Firewall...
Page 251: Intrusion Detection And Prevention (Idp)
ZyWALL 5/35/70 Series User’s Guide H A P T E R Intrusion Detection and Prevention (IDP) This chapter introduces some background information on IDP. Skip to the next chapter to see how to configure IDP on your ZyWALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 252: Ids And Idp
ZyWALL 5/35/70 Series User’s Guide Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are launched from within an organization. Virtual private networks (VPN), removable storage devices and wireless networks may all provide access to the internal network without going through the firewall.
Page 253: Example Intrusions
ZyWALL 5/35/70 Series User’s Guide 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
Page 254: Mydoom
ZyWALL 5/35/70 Series User’s Guide 12.1.5.4 MyDoom MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
Page 255: Chapter 13 Configuring Idp
ZyWALL 5/35/70 Series User’s Guide H A P T E R Configuring IDP This chapter shows you how to configure IDP on the ZyWALL. 13.1 Overview To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL.
Page 256: General Setup
ZyWALL 5/35/70 Series User’s Guide 13.2 General Setup Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Click SECURITY > IDP from the navigation panel. General is the first screen as shown in the following figure.
Page 257: Idp Signatures
ZyWALL 5/35/70 Series User’s Guide Table 74 SECURITY > IDP > General Setup LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Page 258: Figure 133 Security > Idp > Signatures: Attack Types
ZyWALL 5/35/70 Series User’s Guide Figure 133 SECURITY > IDP > Signatures: Attack Types The following table describes each attack type. Table 75 SECURITY > IDP > Signature: Attack Types TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.
Page 259: Intrusion Severity
ZyWALL 5/35/70 Series User’s Guide Table 75 SECURITY > IDP > Signature: Attack Types (continued) TYPE DESCRIPTION Virus/Worm A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network.
Page 260: Configuring Idp Signatures
ZyWALL 5/35/70 Series User’s Guide Figure 134 SECURITY > IDP > Signature: Actions The following table describes signature actions. Table 77 SECURITY > IDP > Signature: Actions ACTION DESCRIPTION No Action The intrusion is detected but no action is taken. Drop Packet The packet is silently discarded.
Page 261: Figure 135 Security > Idp > Signature: Group View
ZyWALL 5/35/70 Series User’s Guide Figure 135 SECURITY > IDP > Signature: Group View The following table describes the labels in this screen. Table 78 SECURITY > IDP > Signature: Group View LABEL DESCRIPTION Signature Groups Switch to Click this hyperlink to go to a screen where you can search for signatures based on query view criteria other than attack type.
Page 262: Query View
ZyWALL 5/35/70 Series User’s Guide Table 78 SECURITY > IDP > Signature: Group View (continued) LABEL DESCRIPTION Select this check box to have a log generated when a match is found for a signature. Select the check box in the heading row to automatically select all check boxes or clear it to clear all entries on the current page.
Page 263: Figure 136 Security > Idp > Signature: Query View
ZyWALL 5/35/70 Series User’s Guide Figure 136 SECURITY > IDP > Signature: Query View The following table describes the fields in this screen. Table 79 SECURITY > IDP > Signature: Query View LABEL DESCRIPTION Back to group Click this button to go to the IDP group view screen where IDP signatures are view grouped by attack type.
Page 264 ZyWALL 5/35/70 Series User’s Guide Table 79 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
Page 265: Query Example 1
ZyWALL 5/35/70 Series User’s Guide Table 79 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 13.3.5.1 Query Example 1 1 From the “group view”...
Page 266: Query Example 2
ZyWALL 5/35/70 Series User’s Guide Figure 138 SECURITY > IDP > Signature: Query by Complete ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes. 2 Select the Severity, Type, Platform, Active, Log, Alert and/or Action items.
Page 267: Update
ZyWALL 5/35/70 Series User’s Guide Figure 139 Signature Query by Attribute. 13.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Page 268: Configuring Idp Update
ZyWALL 5/35/70 Series User’s Guide 13.4.2 Configuring IDP Update When scheduling signature updates, you should choose a day and time when your network is least busy so as to minimize disruption to your network. Your custom signature configurations are not over-written when you download new signatures. File-based anti-virus signatures (see the anti-virus chapter) are included with IDP signatures.
Page 269: Backup And Restore
ZyWALL 5/35/70 Series User’s Guide Table 80 SECURITY > IDP > Update (continued) LABEL DESCRIPTION Release Date This field displays the time (hour, minutes second) and date (month, date, year) that the above signature set was created. Last Update This field displays the last date and time you downloaded new signatures to the ZyWALL.
Page 270: Figure 141 Security > Idp > Backup & Restore
ZyWALL 5/35/70 Series User’s Guide Figure 141 SECURITY > IDP > Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup and then choose a location and filename for the IDP configuration set. •...
Page 271: Chapter 14 Anti-Virus
ZyWALL 5/35/70 Series User’s Guide H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 14.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs.
Page 272: Types Of Anti-Virus Scanner
ZyWALL 5/35/70 Series User’s Guide 2 The virus spreads to other files and programs on the computer. 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially.
Page 273: How The Zywall Anti-Virus Scanner Works
ZyWALL 5/35/70 Series User’s Guide 14.2.1 How the ZyWALL Anti-Virus Scanner Works The ZyWALL checks traffic going to the interface(s) you specify for signature matches. Figure 142 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard ports.
Page 274: General Anti-Virus Setup
ZyWALL 5/35/70 Series User’s Guide Note: The ZyWALL Turbo Card does not have a MAC address. The following lists important notes about the anti-virus scanner: 1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses. 2 When a virus is detected, an alert message is displayed in Microsoft Windows computers.
Page 275: Figure 143 Security > Anti-Virus > General
ZyWALL 5/35/70 Series User’s Guide Figure 143 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. Table 82 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti-Virus Select this check box to check traffic for viruses. The anti-virus scanner works on the following.
Page 276: Signature Searching
ZyWALL 5/35/70 Series User’s Guide Table 82 SECURITY > ANTI-VIRUS > General (continued) LABEL DESCRIPTION Available Service Service This field displays the service names and standard port numbers that identify them. Select a service to display and configure anti-virus settings for it. Active Select Active to enable the anti-virus scanner for the selected service.
Page 277: Figure 144 Security > Anti-Virus > Signature: Query View
ZyWALL 5/35/70 Series User’s Guide Figure 144 SECURITY > ANTI-VIRUS > Signature: Query View The following table describes the labels in this screen. Table 83 SECURITY > ANTI-VIRUS > Signature: Query View LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Signature Search Select this radio button if you would like to search the signatures by name or ID.
Page 278: Signature Search Example
ZyWALL 5/35/70 Series User’s Guide Table 83 SECURITY > ANTI-VIRUS > Signature: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display in the table at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
Page 279: Figure 145 Query Example Search Criteria
ZyWALL 5/35/70 Series User’s Guide Figure 145 Query Example Search Criteria Chapter 14 Anti-Virus...
Page 280: Figure 146 Query Example Search Results
ZyWALL 5/35/70 Series User’s Guide Figure 146 Query Example Search Results Chapter 14 Anti-Virus...
Page 281: Signature Update
ZyWALL 5/35/70 Series User’s Guide 14.5 Signature Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. Note: You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel.com/myzyxel/) and also have either activated the trial license or standard license (iCard).
Page 282: Figure 147 Security > Anti-Virus > Update
ZyWALL 5/35/70 Series User’s Guide Figure 147 SECURITY > ANTI-VIRUS > Update The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Pattern This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them.
Page 283: Backup And Restore
ZyWALL 5/35/70 Series User’s Guide LABEL DESCRIPTION Update Now Click this button to begin downloading signatures from the Update Server immediately. Auto Update Select the check box to configure a schedule for automatic signature updates. The Hourly, Daily and Weekly fields display when the check box is selected. The ZyWALL then automatically downloads signatures from the Update Server regularly at the time and/or day you specify.
Page 284 ZyWALL 5/35/70 Series User’s Guide Use the Backup & Restore screen to: • Back up anti-virus signatures with your custom configured settings to a computer. Click Backup and then choose a location and filename for the anti-virus configuration set. • Restore previously saved anti-virus signatures (with your custom configured settings). Click Restore and choose the path and location where the previously saved file resides on your computer.
Page 285: Chapter 15 Anti-Spam
ZyWALL 5/35/70 Series User’s Guide H A P T E R Anti-Spam This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-Spam Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam.
Page 286: Spambulk Engine
ZyWALL 5/35/70 Series User’s Guide 15.1.1.1 SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs.
Page 287: Spamtricks Engine
ZyWALL 5/35/70 Series User’s Guide 15.1.1.4 SpamTricks Engine The SpamTricks engine checks for the tactics that spammers use to minimize the expense of sending lots of e-mail and tactics that they use to bypass spam filters. Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks.
Page 288: Whitelist
ZyWALL 5/35/70 Series User’s Guide The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analysis to detect phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate (see...
Page 289: Mime Headers
ZyWALL 5/35/70 Series User’s Guide 15.1.7 MIME Headers MIME (Multipurpose Internet Mail Extensions) allows varied media types to be used in e- mail. MIME headers describe an e-mail’s content encoding and type. For example, it may show which program generated the e-mail and what type of text is used in the e-mail body. Here are some examples of MIME headers: •...
Page 290: Figure 150 Security > Anti-Spam > General
ZyWALL 5/35/70 Series User’s Guide Figure 150 SECURITY > ANTI-SPAM > General The following table describes the labels in this screen. Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION General Setup Enable Anti-Spam Select this check box to check traffic for spam SMTP (TCP port 25 and POP3 (TCP port 110) e-mail.
Page 291 ZyWALL 5/35/70 Series User’s Guide Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Page 292: Anti-Spam External Db Screen
ZyWALL 5/35/70 Series User’s Guide Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION Action taken when mail The anti-spam feature limits the number of concurrent e-mail sessions. An e- sessions threshold is mail session is when an e-mail client and e-mail server (or two e-mail reached servers) connect through the ZyWALL.
Page 293: Table 85 Security > Anti-Spam > External Db
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 85 SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Enable the anti-spam external database feature to have the ZyWALL calculate Database a digest of an e-mail and send it to an anti-spam external database.
Page 294: Anti-Spam Lists Screen
ZyWALL 5/35/70 Series User’s Guide Table 85 SECURITY > ANTI-SPAM > External DB (continued) LABEL DESCRIPTION External Database This read-only field displays the status of your anti-spam external database Service Status service registration and activation. License Inactive displays if you have not successfully registered and activated the anti-spam external database service.
Page 295: Figure 152 Security > Anti-Spam > Lists
ZyWALL 5/35/70 Series User’s Guide Figure 152 SECURITY > ANTI-SPAM > Lists The following table describes the labels in this screen. Table 86 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist This bar displays the percentage of the ZyWALL’s anti-spam whitelist and Storage Space in blacklist storage space that is currently in use.
Page 296: Anti-Spam Lists Edit Screen
ZyWALL 5/35/70 Series User’s Guide Table 86 SECURITY > ANTI-SPAM > Lists (continued) LABEL DESCRIPTION Insert Type the index number where you want to put an entry. For example, if you type 6, your new entry becomes number 6 and the previous entry 6 (if there is one) becomes entry 7.
Page 297: Figure 153 Security > Anti-Spam > Lists > Edit
ZyWALL 5/35/70 Series User’s Guide Figure 153 SECURITY > ANTI-SPAM > Lists > Edit The following table describes the labels in this screen. Table 87 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
Page 298 ZyWALL 5/35/70 Series User’s Guide Table 87 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION E-Mail Address This field displays when you select the E-Mail type. Enter an e-mail address or domain name (up to 63 ASCII characters). You can enter an individual e-mail address like abc@def.com. If you enter a domain name, the ZyWALL searches the source e-mail address string after the “@”...
Page 299: Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 16.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites.
Page 300: Figure 154 Security > Content Filter > General
ZyWALL 5/35/70 Series User’s Guide Figure 154 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Page 301 ZyWALL 5/35/70 Series User’s Guide Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Block ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
Page 302: Content Filtering With An External Database
ZyWALL 5/35/70 Series User’s Guide Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 303: Content Filter Categories
ZyWALL 5/35/70 Series User’s Guide 16.4 Content Filter Categories Click SECURITY, >CONTENT FILTER > Categories to display the CONTENT FILTER Categories screen. Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it.
Page 304: Figure 156 Security > Content Filter > Categories
ZyWALL 5/35/70 Series User’s Guide Figure 156 SECURITY > CONTENT FILTER > Categories The following table describes the labels in this screen. Table 89 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 305 ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 306 ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 307 ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 308 ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 309 ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
Page 310: Content Filter Customization
ZyWALL 5/35/70 Series User’s Guide 16.5 Content Filter Customization Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses.
Page 311: Table 90 Security > Content Filter > Customization
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 90 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
Page 312: Customizing Keyword Blocking Url Checking
ZyWALL 5/35/70 Series User’s Guide Table 90 SECURITY > CONTENT FILTER > Customization (continued) LABEL DESCRIPTION Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list.
Page 313: Content Filtering Cache
ZyWALL 5/35/70 Series User’s Guide Use the command ip urlfilter customize actionFlags 8 [disable | enable] to extend (or not extend) the keyword blocking search to include the URL's complete filename. 16.7 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen.
Page 314: Table 91 Security > Content Filter > Cache
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 91 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
Page 315: Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 123 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Page 316: Figure 159 Myzyxel.com: Login
ZyWALL 5/35/70 Series User’s Guide Figure 159 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 161 on page 317).
Page 317: Figure 161 Myzyxel.com: Service Management
ZyWALL 5/35/70 Series User’s Guide Figure 161 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 161 on page 317). Type your myZyXEL.com account password in the Password field.
Page 318: Figure 163 Content Filtering Reports Main Screen
ZyWALL 5/35/70 Series User’s Guide Figure 163 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 164 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 319: Figure 165 Global Report Screen Example
ZyWALL 5/35/70 Series User’s Guide Figure 165 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Chapter 17 Content Filtering Reports...
Page 320: Web Site Submission
ZyWALL 5/35/70 Series User’s Guide Figure 166 Requested URLs Example 17.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 321: Figure 167 Web Page Review Process Screen
ZyWALL 5/35/70 Series User’s Guide Figure 167 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. Chapter 17 Content Filtering Reports...
Page 322 ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports...
Page 323: Chapter 18 Ipsec Vpn
ZyWALL 5/35/70 Series User’s Guide H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.
Page 324: Ike Sa Overview
ZyWALL 5/35/70 Series User’s Guide A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Page 325: Vpn Rules (Ike)
ZyWALL 5/35/70 Series User’s Guide You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
Page 326: Figure 172 Security > Vpn > Vpn Rules (Ike)
ZyWALL 5/35/70 Series User’s Guide Figure 172 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 92 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Page 327: Ike Sa Setup
ZyWALL 5/35/70 Series User’s Guide Table 92 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Remote This is the remote network behind the remote IPsec router. Network Click this icon to display a screen in which you can associate a network policy to a gateway policy.
Page 328: Diffie-Hellman (Dh) Key Exchange
ZyWALL 5/35/70 Series User’s Guide See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 18.3.1.1 on page 328 for more information about DH key groups. 18.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
Page 329: Table 93 Vpn Example: Matching Id Type And Content
ZyWALL 5/35/70 Series User’s Guide Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.
Page 330: Extended Authentication
ZyWALL 5/35/70 Series User’s Guide • The local ID type and ID content come from the certificate. On the ZyWALL, you simply select which certificate to use. • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up.
Page 331: Vpn, Nat, And Nat Traversal
ZyWALL 5/35/70 Series User’s Guide Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and sends its (unencrypted) identity to the ZyWALL for authentication. Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established.
Page 332: Additional Ipsec Vpn Topics
ZyWALL 5/35/70 Series User’s Guide 18.4 Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. 18.4.1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: •...
Page 333: Encryption And Authentication Algorithms
ZyWALL 5/35/70 Series User’s Guide Figure 177 IPSec High Availability When setting up a IPSec high availability VPN tunnel, the remote IPSec router: • Must have multiple WAN connections • Only needs the configure one corresponding IPSec rule • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections •...
Page 334: Vpn Rules (Ike) Gateway Policy Edit
ZyWALL 5/35/70 Series User’s Guide 18.5 VPN Rules (IKE) Gateway Policy Edit In the VPN Rule (IKE) screen, click the add gateway policy ( ) icon or the edit ( ) icon to display the VPN-Gateway Policy -Edit screen. Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
Page 335: Figure 178 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
ZyWALL 5/35/70 Series User’s Guide Figure 178 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy Chapter 18 IPSec VPN...
Page 336: Table 95 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 337 ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote gateway Primary Remote if the connection becomes available again.
Page 338 ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 339 ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 20 on page...
Page 340: Ipsec Sa Overview
ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Enable Multiple Select this to allow the ZyWALL to use any of its phase 1 key groups and Proposals encryption and authentication algorithms when negotiating an IKE SA.
Page 341: Encapsulation
ZyWALL 5/35/70 Series User’s Guide Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 18.6.0.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure.
Page 342: Vpn Rules (Ike): Network Policy Edit
ZyWALL 5/35/70 Series User’s Guide If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 343: Figure 180 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
ZyWALL 5/35/70 Series User’s Guide Figure 180 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy Chapter 18 IPSec VPN...
Page 344: Table 96 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 345 ZyWALL 5/35/70 Series User’s Guide Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 346: Vpn Rules (Ike): Network Policy Move
ZyWALL 5/35/70 Series User’s Guide Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES - a 128-bit key with the AES encryption algorithm...
Page 347: Figure 181 Security > Vpn > Vpn Rules (Ike) > Move Network Policy
ZyWALL 5/35/70 Series User’s Guide • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel. • The network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel.
Page 348: Ipsec Sa Using Manual Keys
ZyWALL 5/35/70 Series User’s Guide 18.9 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.
Page 349: Figure 182 Security > Vpn > Vpn Rules (Manual)
ZyWALL 5/35/70 Series User’s Guide Figure 182 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 98 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
Page 350: Vpn Rules (Manual): Edit
ZyWALL 5/35/70 Series User’s Guide Table 98 SECURITY > VPN > VPN Rules (Manual) (continued) LABEL DESCRIPTION Modify Click the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule.
Page 351: Figure 183 Security > Vpn > Vpn Rules (Manual) > Edit
ZyWALL 5/35/70 Series User’s Guide Figure 183 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen. Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy.
Page 352 ZyWALL 5/35/70 Series User’s Guide Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 353: Vpn Sa Monitor
ZyWALL 5/35/70 Series User’s Guide Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec Addr router with which you're making the VPN connection. Manual Proposal Type a unique SPI (Security Parameter Index) from one to four characters long.
Page 354: Vpn Global Setting
ZyWALL 5/35/70 Series User’s Guide Figure 184 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 100 SECURITY > VPN > SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy.
Page 355: Figure 185 Security > Vpn > Global Setting
ZyWALL 5/35/70 Series User’s Guide Figure 185 SECURITY > VPN > Global Setting The following table describes the labels in this screen. Table 101 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
Page 356: Telecommuter Vpn/Ipsec Examples
ZyWALL 5/35/70 Series User’s Guide Table 101 SECURITY > VPN > Global Setting (continued) LABEL DESCRIPTION VPN rules skip applying When you configure a VPN rule, the ZyWALL checks to make sure that the IP to the overlap range of addresses in the local and remote networks do not overlap.
Page 357: Telecommuters Using Unique Vpn Rules Example
ZyWALL 5/35/70 Series User’s Guide Table 102 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Remote Gateway Public static IP address 0.0.0.0 With this IP address only Address: the telecommuter can initiate the IPSec tunnel.
Page 358: Vpn And Remote Management
ZyWALL 5/35/70 Series User’s Guide Table 103 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com...
Page 359: Hub-And-Spoke Vpn
ZyWALL 5/35/70 Series User’s Guide In the following example, the VPN rule’s local network (A) includes the ZyWALL’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface.
Page 360: Hub-And-Spoke Vpn Example
ZyWALL 5/35/70 Series User’s Guide You should not use a hub-and-spoke VPN in every situation, however. The hub router is a single point of failure, so a hub-and-spoke VPN may not be appropriate if the connection between the spoke routers cannot be down occasionally (for maintenance, for example). In addition, there is a significant burden on the hub router.
Page 361: Hub-And-Spoke Vpn Requirements And Suggestions
ZyWALL 5/35/70 Series User’s Guide • Remote IP address:192.168.167.0/255.255.255.0 Rule 2: • Remote Gateway: 10.0.0.3 • Local IP address: 192.168.167.0~192.168.168.255 • Remote IP address: 192.168.169.0/255.255.255.0 Branch Office B: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.169.0/255.255.255.0 • Remote IP address: 192.168.167.0~192.168.168.255 18.16.3 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN.
Page 362 ZyWALL 5/35/70 Series User’s Guide Chapter 18 IPSec VPN...
Page 363: Chapter 19 Certificates
ZyWALL 5/35/70 Series User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 19.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 364: Advantages Of Certificates
ZyWALL 5/35/70 Series User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 365: Configuration Summary
ZyWALL 5/35/70 Series User’s Guide Figure 192 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 366: My Certificates
ZyWALL 5/35/70 Series User’s Guide Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). 19.5 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen.
Page 367 ZyWALL 5/35/70 Series User’s Guide Table 104 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
Page 368: My Certificate Details
ZyWALL 5/35/70 Series User’s Guide 19.6 My Certificate Details Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 194 on page 366). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Page 369: Table 105 Security > Certificates > My Certificates > Details
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 105 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate.
Page 370: My Certificate Export
ZyWALL 5/35/70 Series User’s Guide Table 105 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 371: My Certificate Import
ZyWALL 5/35/70 Series User’s Guide Figure 196 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 106 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in Binary X.509 is an ITU-T recommendation that defines the formats for X.509 binary X.509 format.
Page 372: Certificate File Formats
ZyWALL 5/35/70 Series User’s Guide Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen. One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key.
Page 373: Figure 197 Security > Certificates > My Certificates > Import
ZyWALL 5/35/70 Series User’s Guide Figure 197 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 107 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 374: My Certificate Create
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 108 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 LABEL DESCRIPTION Password Type the file’s password that was created when the PKCS #12 file was exported. Apply Click Apply to save the certificate on the ZyWALL.
Page 375: Table 109 Security > Certificates > My Certificates > Create
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 109 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate.
Page 376: Trusted Cas
ZyWALL 5/35/70 Series User’s Guide Table 109 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.
Page 377: Figure 200 Security > Certificates > Trusted Cas
ZyWALL 5/35/70 Series User’s Guide Figure 200 SECURITY > CERTIFICATES > Trusted CAs The following table describes the labels in this screen. Table 110 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 378: Trusted Ca Details
ZyWALL 5/35/70 Series User’s Guide Table 110 SECURITY > CERTIFICATES > Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen.
Page 379: Figure 201 Security > Certificates > Trusted Cas > Details
ZyWALL 5/35/70 Series User’s Guide Figure 201 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 380 ZyWALL 5/35/70 Series User’s Guide Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 381: Trusted Ca Import
ZyWALL 5/35/70 Series User’s Guide Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 382: Trusted Remote Hosts
ZyWALL 5/35/70 Series User’s Guide Figure 202 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 112 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 383: Figure 203 Security > Certificates > Trusted Remote Hosts
ZyWALL 5/35/70 Series User’s Guide Figure 203 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 113 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 384: Trusted Remote Hosts Import
ZyWALL 5/35/70 Series User’s Guide Table 113 SECURITY > CERTIFICATES > Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
Page 385: Trusted Remote Host Certificate Details
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 386: Figure 205 Security > Certificates > Trusted Remote Hosts > Details
ZyWALL 5/35/70 Series User’s Guide Figure 205 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details The following table describes the labels in this screen. Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 387 ZyWALL 5/35/70 Series User’s Guide Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate.
Page 388: Directory Servers
ZyWALL 5/35/70 Series User’s Guide Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 389: Directory Server Add Or Edit
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 116 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use.
Page 390: Table 117 Security > Certificates > Directory Server > Add
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 117 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Page 391: Authentication Server
ZyWALL 5/35/70 Series User’s Guide H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 20.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 392: Figure 208 Security > Auth Server > Local User Database
ZyWALL 5/35/70 Series User’s Guide Figure 208 SECURITY > AUTH SERVER > Local User Database Chapter 20 Authentication Server...
Page 393: Radius
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 118 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 394: Table 119 Security > Auth Server > Radius
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 119 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
Page 395: Network Address Translation (Nat)
ZyWALL 5/35/70 Series User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 21.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 396: What Nat Does
ZyWALL 5/35/70 Series User’s Guide 21.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 397: Nat Application
ZyWALL 5/35/70 Series User’s Guide 21.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 211 NAT Application With IP Alias Chapter 21 Network Address Translation (NAT)
Page 398: Port Restricted Cone Nat
ZyWALL 5/35/70 Series User’s Guide 21.1.5 Port Restricted Cone NAT ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network.
Page 399: Using Nat
ZyWALL 5/35/70 Series User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 400: Nat Overview Screen
ZyWALL 5/35/70 Series User’s Guide 21.3 NAT Overview Screen Click ADVANCED > NAT to open the NAT Overview screen. Not all fields are available on all models. Figure 213 ADVANCED > NAT > NAT Overview The following table describes the labels in this screen. Table 122 ADVANCED >...
Page 401: Nat Address Mapping
ZyWALL 5/35/70 Series User’s Guide Table 122 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN port. Clear this check box to turn off the NAT feature for the WAN port. Address Select SUA to have the ZyWALL use its permanent, pre-defined NAT address Mapping Rules...
Page 402: Figure 214 Advanced > Nat > Address Mapping
ZyWALL 5/35/70 Series User’s Guide Figure 214 ADVANCED > NAT > Address Mapping The following table describes the labels in this screen. Table 123 ADVANCED > NAT > Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address...
Page 403: Nat Address Mapping Edit
ZyWALL 5/35/70 Series User’s Guide Table 123 ADVANCED > NAT > Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Page 404: Port Forwarding
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 124 ADVANCED > NAT > Address Mapping > Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address.
Page 405: Default Server Ip Address
ZyWALL 5/35/70 Series User’s Guide 21.5.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 406: Nat And Multiple Wan
ZyWALL 5/35/70 Series User’s Guide Figure 216 Multiple Servers Behind NAT Example 21.5.4 NAT and Multiple WAN The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule sets for the first WAN port and separate sets of rules for the second WAN port. 21.5.5 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the...
Page 407: Port Forwarding Screen
ZyWALL 5/35/70 Series User’s Guide Figure 217 Port Translation Example 21.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Not all fields are available on all models. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 408: Figure 218 Advanced > Nat > Port Forwarding
ZyWALL 5/35/70 Series User’s Guide Figure 218 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 126 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules. Default Server In addition to the servers for specified services, NAT supports a default server.
Page 409: Port Triggering
ZyWALL 5/35/70 Series User’s Guide Table 126 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 21.7 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Page 410: Figure 220 Advanced > Nat > Port Triggering
ZyWALL 5/35/70 Series User’s Guide 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 411 ZyWALL 5/35/70 Series User’s Guide Table 127 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION End Port Type a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Page 412 ZyWALL 5/35/70 Series User’s Guide Chapter 21 Network Address Translation (NAT)
Page 413: Chapter 22 Static Route
ZyWALL 5/35/70 Series User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 22.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 414: Figure 222 Advanced > Static Route > Ip Static Route
ZyWALL 5/35/70 Series User’s Guide Figure 222 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 128 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
Page 415: Ip Static Route Edit
ZyWALL 5/35/70 Series User’s Guide Table 128 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
Page 416 ZyWALL 5/35/70 Series User’s Guide Table 129 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Page 417: Chapter 23 Policy Route
ZyWALL 5/35/70 Series User’s Guide H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 23.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 418: Ip Routing Policy Setup
ZyWALL 5/35/70 Series User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 23.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown). Figure 224 ADVANCED >...
Page 419: Policy Route Edit
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 130 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source Address/ This is the source IP address range and/or port number range.
Page 420: Figure 225 Edit Ip Policy Route
ZyWALL 5/35/70 Series User’s Guide Figure 225 Edit IP Policy Route The following table describes the labels in this screen. Table 131 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 421 ZyWALL 5/35/70 Series User’s Guide Table 131 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Packet Length Type a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal.
Page 422 ZyWALL 5/35/70 Series User’s Guide Chapter 23 Policy Route...
Page 423: Chapter 24 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 24.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.
Page 424: Proportional Bandwidth Allocation
ZyWALL 5/35/70 Series User’s Guide 24.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 24.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 425: Application And Subnet-Based Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide 24.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 132 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A...
Page 426: Reserving Bandwidth For Non-Bandwidth Class Traffic
ZyWALL 5/35/70 Series User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
Page 427: Priority-Based Allotment Of Unused And Unbudgeted Bandwidth
ZyWALL 5/35/70 Series User’s Guide 24.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets. Table 134 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS Root Class: 10240 kbps Administration: Priority 4, 1024 kbps...
Page 428: Bandwidth Borrowing
ZyWALL 5/35/70 Series User’s Guide 24.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth.
Page 429: Maximize Bandwidth Usage With Bandwidth Borrowing
ZyWALL 5/35/70 Series User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
Page 430: Configuring Summary
ZyWALL 5/35/70 Series User’s Guide If you use VoIP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP. As a result, FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth.
Page 431: Configuring Class Setup
ZyWALL 5/35/70 Series User’s Guide Table 138 ADVANCED > BW MGMT > Summary (continued) LABEL DESCRIPTION Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class (see Section 24.12 on page 431).
Page 432: Figure 228 Advanced > Bw Mgmt > Class Setup
ZyWALL 5/35/70 Series User’s Guide Figure 228 ADVANCED > BW MGMT > Class Setup The following table describes the labels in this screen. Table 139 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming.
Page 433: Bandwidth Manager Class Configuration
ZyWALL 5/35/70 Series User’s Guide Table 139 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Service This is the service that this bandwidth management class is configured to manage. Destination IP This is the destination IP address for connections to which this bandwidth Address management class applies.
Page 434: Figure 229 Advanced > Bw Mgmt > Class Setup > Add Sub-Class
ZyWALL 5/35/70 Series User’s Guide Figure 229 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20...
Page 435 ZyWALL 5/35/70 Series User’s Guide Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 436: Bandwidth Management Statistics
ZyWALL 5/35/70 Series User’s Guide Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source End Address / If you are configuring a range of IP addresses, enter the ending IP address Subnet Mask here.
Page 437: Bandwidth Manager Monitor
ZyWALL 5/35/70 Series User’s Guide Figure 230 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Page 438: Figure 231 Advanced > Bw Mgmt > Monitor
ZyWALL 5/35/70 Series User’s Guide Figure 231 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Chapter 24 Bandwidth Management...
Page 439: Chapter 25 Dns
ZyWALL 5/35/70 Series User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 25.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 440: Address Record
ZyWALL 5/35/70 Series User’s Guide 25.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
Page 441: System Screen
ZyWALL 5/35/70 Series User’s Guide Figure 232 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
Page 442: Adding An Address Record
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
Page 443: Inserting A Name Server Record
ZyWALL 5/35/70 Series User’s Guide An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. Configure address records about the ZyWALL itself or another device to keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server.
Page 444: Figure 235 Advanced > Dns > Insert (Name Server Record)
ZyWALL 5/35/70 Series User’s Guide Figure 235 ADVANCED > DNS > Insert (Name Server Record) The following table describes the labels in this screen. LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 445: Dns Cache
ZyWALL 5/35/70 Series User’s Guide 25.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
Page 446: Configuring Dns Dhcp
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Page 447: Figure 237 Advanced > Dns > Dhcp
ZyWALL 5/35/70 Series User’s Guide Figure 237 ADVANCED > DNS > DHCP The following table describes the labels in this screen. LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address to the Assigned by DHCP DHCP clients.
Page 448: Dynamic Dns
ZyWALL 5/35/70 Series User’s Guide 25.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 449: Figure 238 Advanced > Dns > Ddns
ZyWALL 5/35/70 Series User’s Guide Figure 238 ADVANCED > DNS > DDNS The following table describes the labels in this screen. LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name.
Page 450 ZyWALL 5/35/70 Series User’s Guide LABEL DESCRIPTION IP Address Update Select Use WAN IP Address to have the ZyWALL update the domain name Policy with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address.
Page 451: Chapter 26 Remote Management
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 26.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 452: System Timeout
ZyWALL 5/35/70 Series User’s Guide 1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address.
Page 453: Www
ZyWALL 5/35/70 Series User’s Guide Figure 239 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 26.3 WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyWALL’s HTTP and HTTPS management settings.
Page 454: Figure 240 Advanced > Remote Mgmt > Www
ZyWALL 5/35/70 Series User’s Guide Figure 240 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 143 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 455: Https Example
ZyWALL 5/35/70 Series User’s Guide Table 143 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
Page 456: Netscape Navigator Warning Messages
ZyWALL 5/35/70 Series User’s Guide 26.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
Page 457: Avoiding The Browser Warning Messages
ZyWALL 5/35/70 Series User’s Guide 26.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 458: Figure 244 Login Screen (Internet Explorer)
ZyWALL 5/35/70 Series User’s Guide Figure 244 Login Screen (Internet Explorer) Figure 245 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Chapter 26 Remote Management...
Page 459: Figure 246 Replace Certificate
ZyWALL 5/35/70 Series User’s Guide Figure 246 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 247 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
Page 460: Ssh
ZyWALL 5/35/70 Series User’s Guide Figure 248 Common ZyWALL Certificate 26.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. Figure 249 SSH Communication Example 26.6 How SSH Works The following table summarizes how a secure connection is established between two remote...
Page 461: Ssh Implementation On The Zywall
ZyWALL 5/35/70 Series User’s Guide Figure 250 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 462: Requirements For Using Ssh
ZyWALL 5/35/70 Series User’s Guide 26.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 26.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings.
Page 463: Secure Telnet Using Ssh Examples
ZyWALL 5/35/70 Series User’s Guide 26.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 26.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
Page 464: Secure Ftp Using Ssh Example
ZyWALL 5/35/70 Series User’s Guide Figure 253 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 465: Telnet
ZyWALL 5/35/70 Series User’s Guide Figure 255 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 466: Ftp
ZyWALL 5/35/70 Series User’s Guide Figure 257 ADVANCED > REMOTE MGMT > Telnet The following table describes the labels in this screen. Table 145 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 467: Snmp
ZyWALL 5/35/70 Series User’s Guide Figure 258 ADVANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. Table 146 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 468: Figure 259 Snmp Management Model
ZyWALL 5/35/70 Series User’s Guide Figure 259 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 469: Supported Mibs
ZyWALL 5/35/70 Series User’s Guide 26.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 26.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 147 SNMP Traps...
Page 470: Figure 260 Advanced > Remote Mgmt > Snmp
ZyWALL 5/35/70 Series User’s Guide Figure 260 ADVANCED > REMOTE MGMT > SNMP The following table describes the labels in this screen. Table 148 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
Page 471: Dns
ZyWALL 5/35/70 Series User’s Guide 26.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 147 for more information. Click ADVANCED > REMOTE MGMT > DNS to change your ZyWALL’s DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL’s DNS settings.
Page 472: Configuring Cnm
ZyWALL 5/35/70 Series User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator. 26.17 Configuring CNM Vantage CNM is disabled on the device by default.
Page 473 ZyWALL 5/35/70 Series User’s Guide Table 150 ADVANCED > REMOTE MGMT > CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
Page 474 ZyWALL 5/35/70 Series User’s Guide Chapter 26 Remote Management...
Page 475: Chapter 27 Upnp
ZyWALL 5/35/70 Series User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 27.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 476: Upnp And Zyxel
ZyWALL 5/35/70 Series User’s Guide When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 477: Displaying Upnp Port Mapping
ZyWALL 5/35/70 Series User’s Guide Table 151 ADVANCED > UPnP LABEL DESCRIPTION Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration configure the ZyWALL so that they can communicate through the ZyWALL, changes through for example by using NAT traversal, UPnP applications automatically reserve UPnP a NAT forwarding port in order to communicate with another UPnP enabled...
Page 478: Installing Upnp In Windows Example
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 152 ADVANCED > UPnP > Ports LABEL DESCRIPTION Reserve UPnP Select this check box to have the ZyWALL retain UPnP created NAT rules even NAT rules in flash after restarting.
Page 479: Installing Upnp In Windows Me
ZyWALL 5/35/70 Series User’s Guide 27.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 480: Installing Upnp In Windows Xp
ZyWALL 5/35/70 Series User’s Guide 27.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 481: Auto-Discover Your Upnp-Enabled Network Device
ZyWALL 5/35/70 Series User’s Guide 27.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 482: Web Configurator Easy Access
ZyWALL 5/35/70 Series User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 483 ZyWALL 5/35/70 Series User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 484 ZyWALL 5/35/70 Series User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 27 UPnP...
Page 485: Chapter 28 Alg Screen
ZyWALL 5/35/70 Series User’s Guide H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 28.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
Page 486: Ftp
ZyWALL 5/35/70 Series User’s Guide If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN port to have the connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure routing policies to specify the WAN port that the connection’s traffic is to use.
Page 487: Figure 265 H.323 Alg Example
ZyWALL 5/35/70 Series User’s Guide Figure 265 H.323 ALG Example • With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
Page 488: Sip
ZyWALL 5/35/70 Series User’s Guide Figure 267 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
Page 489: Sip Signaling Session Timeout
ZyWALL 5/35/70 Series User’s Guide The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server (1). Figure 268 SIP ALG Example 28.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
Page 490: Figure 269 Advanced > Alg
ZyWALL 5/35/70 Series User’s Guide Figure 269 ADVANCED > ALG The following table describes the labels in this screen. Table 153 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Page 491: Chapter 29 Reports
ZyWALL 5/35/70 Series User’s Guide H A P T E R Reports This chapter contains information about the ZyWALL’s system and threat reports. 29.1 Configuring Reports The System Reports screens display statistics about the network usage of the LAN, DMZ or WLAN computers.
Page 492: Figure 270 Reports > System Reports
ZyWALL 5/35/70 Series User’s Guide Figure 270 REPORTS > SYSTEM REPORTS Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 154 REPORTS > SYSTEM REPORTS LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Page 493: Viewing Web Site Hits
ZyWALL 5/35/70 Series User’s Guide 29.2.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 494: Viewing Host Ip Address
ZyWALL 5/35/70 Series User’s Guide 29.2.2 Viewing Host IP Address In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Page 495: Viewing Protocol/Port
ZyWALL 5/35/70 Series User’s Guide 29.2.3 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. Figure 273 REPORTS >...
Page 496: System Reports Specifications
ZyWALL 5/35/70 Series User’s Guide 29.2.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 158 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Page 497: Table 159 Reports > Threat Reports > Idp
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 159 REPORTS > THREAT REPORTS > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 498: Anti-Virus Threat Reports Screen
ZyWALL 5/35/70 Series User’s Guide Figure 275 REPORTS > THREAT REPORTS > IDP > Source The statistics display as follows when you display the top entries by destination. Figure 276 REPORTS > THREAT REPORTS > IDP > Destination 29.4 Anti-Virus Threat Reports Screen Click REPORTS >...
Page 499: Figure 278 Reports > Threat Reports > Anti-Virus > Source
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 160 REPORTS > THREAT REPORTS > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-virus statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 500: Anti-Spam Threat Reports Screen
ZyWALL 5/35/70 Series User’s Guide Figure 279 REPORTS > THREAT REPORTS > Anti-Virus > Destination 29.5 Anti-Spam Threat Reports Screen Click REPORTS > THREAT REPORTS > Anti-Spam to display the Threat Reports Anti-Spam screen. This screen displays anti-spam statistics. Figure 280 REPORTS > THREAT REPORTS > Anti-Spam The following table describes the labels in this screen.
Page 501 ZyWALL 5/35/70 Series User’s Guide Table 161 REPORTS > THREAT REPORTS > Anti-Spam (continued) LABEL DESCRIPTION Spam Mail This field displays the number of e-mails that the ZyWALL has classified as spam. Detected Phishing Mail This field displays the number of e-mails that the ZyWALL has classified as phishing. Detected No Score Mail This field displays the number of e-mails for which the ZyWALL did not receive a...
Page 502: Figure 281 Reports > Threat Reports > Anti-Spam > Source
ZyWALL 5/35/70 Series User’s Guide Figure 281 REPORTS > THREAT REPORTS > Anti-Spam > Source The statistics display as follows when you display the score distribution. Figure 282 REPORTS > THREAT REPORTS > Anti-Spam > Score Distribution Chapter 29 Reports...
Page 503: Chapter 30 Logs Screens
ZyWALL 5/35/70 Series User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 30.3.1 on page 509 for example log message explanations. 30.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 504: Log Description Example
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 162 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 30.3 on page 506) display in the drop-down list box. Select a category of logs to view;...
Page 505: About The Certificate Not Trusted Log
ZyWALL 5/35/70 Series User’s Guide Table 163 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Page 506: Configuring Log Settings
ZyWALL 5/35/70 Series User’s Guide Figure 285 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Page 507: Figure 286 Logs > Log Settings
ZyWALL 5/35/70 Series User’s Guide Figure 286 LOGS > Log Settings Chapter 30 Logs Screens...
Page 508: Table 164 Logs > Log Settings
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 164 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 509: Log Descriptions
ZyWALL 5/35/70 Series User’s Guide Table 164 LOGS > Log Settings (continued) LABEL DESCRIPTION Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field.
Page 510 ZyWALL 5/35/70 Series User’s Guide Table 165 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router got the time and date from the time server. Time initialized by Time server The router got the time and date from the NTP server. Time initialized by NTP server The router was not able to connect to the Daytime server.
Page 511: Table 166 System Error Logs
ZyWALL 5/35/70 Series User’s Guide Table 166 System Error Logs LOG MESSAGE DESCRIPTION This attempt to create a NAT session exceeds the maximum %s exceeds the max. number of NAT session table entries allowed to be created per number of session per host.
Page 512: Table 168 Tcp Reset Logs
ZyWALL 5/35/70 Series User’s Guide Table 167 Access Control Logs (continued) LOG MESSAGE DESCRIPTION The device blocked a session because the host's Exceed maximum sessions per host connections exceeded the maximum sessions per host. (%d). A packet from the WAN (TCP or UDP) matched a cone Firewall allowed a packet that NAT session and the device forwarded it to the LAN.
Page 513: Table 169 Packet Filter Logs
ZyWALL 5/35/70 Series User’s Guide Table 169 Packet Filter Logs LOG MESSAGE DESCRIPTION Attempted access matched a configured filter rule (denoted by [ TCP | UDP | ICMP | IGMP | its set and rule number) and was blocked or forwarded Generic ] packet filter according to the rule.
Page 514: Table 172 Ppp Logs
ZyWALL 5/35/70 Series User’s Guide Table 172 PPP Logs LOG MESSAGE DESCRIPTION The PPP connection’s Link Control Protocol stage has started. ppp:LCP Starting The PPP connection’s Link Control Protocol stage is opening. ppp:LCP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is ppp:CHAP Opening opening.
Page 515: Table 175 Attack Logs
ZyWALL 5/35/70 Series User’s Guide Table 174 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION When the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site” check box, the system forwards the web content. The external content filtering server did not respond within the timeout Waiting content filter period.
Page 516: Table 176 Remote Management Logs
ZyWALL 5/35/70 Series User’s Guide Table 175 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall classified an ICMP packet with no source routing entry ip spoofing - no routing as an IP spoofing attack. entry ICMP (type:%d, code:%d) The firewall detected an ICMP vulnerability attack. vulnerability ICMP (type:%d, code:%d) The firewall detected an ICMP traceroute attack.
Page 517: Table 177 Wireless Logs
ZyWALL 5/35/70 Series User’s Guide Table 176 Remote Management Logs LOG MESSAGE DESCRIPTION Attempted use of SNMP service was blocked according Remote Management: SNMP denied to remote management settings. Attempted use of DNS service was blocked according to Remote Management: DNS denied remote management settings.
Page 518: Table 179 Ike Logs
ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs LOG MESSAGE DESCRIPTION The IKE process for a new connection failed because the limit Active connection allowed of simultaneous phase 2 SAs has been reached. exceeded Phase 2 Quick Mode has started. Start Phase 2: Quick Mode The connection failed during IKE phase 2 because the router Verifying Remote ID failed:...
Page 519 ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs (continued) LOG MESSAGE DESCRIPTION The security gateway is set to “0.0.0.0” and the router used Remote IP <Remote IP> / the peer’s “Local Address” as the router’s “Remote Address”. <Remote IP> conflicts This information conflicted with static rule #d;...
Page 520 ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 authentication algorithm did not Rule [%d] Phase 2 match between the router and the peer. authentication algorithm mismatch The listed rule’s IKE phase 2 encapsulation did not match Rule [%d] Phase 2 between the router and the peer.
Page 521: Table 180 Pki Logs
ZyWALL 5/35/70 Series User’s Guide Table 180 PKI Logs LOG MESSAGE DESCRIPTION The SCEP online certificate enrollment was successful. The Enrollment successful Destination field records the certification authority server IP address and port. The SCEP online certificate enrollment failed. The Destination field Enrollment failed records the certification authority server’s IP address and port.
Page 522: Table 181 802.1X Logs
ZyWALL 5/35/70 Series User’s Guide CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid. Certificate signature was not verified correctly.
Page 523: Table 182 Acl Setting Notes
ZyWALL 5/35/70 Series User’s Guide Table 181 802.1X Logs (continued) LOG MESSAGE DESCRIPTION A user was not authenticated by the local user database Local User Database does not because the user is not listed in the local user database. find user`s credential. A user was authenticated by the RADIUS Server.
Page 524: Table 183 Icmp Notes
ZyWALL 5/35/70 Series User’s Guide Table 182 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/ZW) LAN to LAN/ ACL set for packets traveling from the LAN to the LAN or ZyWALL the ZyWALL. (W to W/ZW) WAN to WAN/ ACL set for packets traveling from the WAN to the WAN ZyWALL or the ZyWALL.
Page 525: Table 184 Idp Logs
ZyWALL 5/35/70 Series User’s Guide Table 183 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply...
Page 526: Table 185 Av Logs
ZyWALL 5/35/70 Series User’s Guide Table 184 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device updated the signature file successfully. The signature file’s Signature update OK version and release date are included. - New signature version: <Signature version> Release Date: <Release date>! The turbo card is not installed.
Page 527: Table 186 As Logs
ZyWALL 5/35/70 Series User’s Guide Table 185 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not installed. The turbo card is not ready , please insert the card and reboot! The device is updating the signature file. The system is doing signature update now , please wait! Table 186 AS Logs...
Page 528 ZyWALL 5/35/70 Series User’s Guide Table 186 AS Logs (continued) LOG MESSAGE DESCRIPTION The listed server IP address has been removed from the list of anti- Remove rating server spam external database servers. [%Rating Server IP Address%] from server list! The spam score (listed) for the e-mail with the listed source and "This is a phishing mail subject was higher than the spam score threshold.
Page 529: Syslog Logs
ZyWALL 5/35/70 Series User’s Guide 30.4 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
Page 530: Table 188 Rfc-2408 Isakmp Payload Types
ZyWALL 5/35/70 Series User’s Guide Table 187 Syslog Logs (continued) LOG MESSAGE DESCRIPTION This message is sent by the device ("RAS" displays as the Event Log: <Facility*8 + system name if you haven’t configured one) at the time Severity>Mon dd hr:mm:ss when this syslog is generated.
Page 531: Chapter 31 Maintenance
ZyWALL 5/35/70 Series User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 31.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 31.2 General Setup and System Name General Setup contains administrative and system-related information.
Page 532: Configuring Password
ZyWALL 5/35/70 Series User’s Guide Figure 287 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 189 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 533: Time And Date
ZyWALL 5/35/70 Series User’s Guide Figure 288 MAINTENANCE > Password The following table describes the labels in this screen. Table 190 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 534: Figure 289 Maintenance > Time And Date
ZyWALL 5/35/70 Series User’s Guide Figure 289 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 191 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 535 ZyWALL 5/35/70 Series User’s Guide Table 191 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. Time Protocol Select the time service protocol that your time server uses.
Page 536: Pre-Defined Ntp Time Server Pools
ZyWALL 5/35/70 Series User’s Guide 31.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
Page 537: Introduction To Transparent Bridging
ZyWALL 5/35/70 Series User’s Guide Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 291 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.
Page 538: Transparent Firewalls
ZyWALL 5/35/70 Series User’s Guide Table 192 MAC-address-to-port Mapping Table HOST MAC ADDRESS PORT 00a0c51234bc 00a0c51234de For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Page 539: Configuring Device Mode (Router)
ZyWALL 5/35/70 Series User’s Guide 31.8 Configuring Device Mode (Router) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall).
Page 540: Configuring Device Mode (Bridge)
ZyWALL 5/35/70 Series User’s Guide Table 193 MAINTENANCE > Device Mode (Router Mode) (continued) LABEL DESCRIPTION Router When the ZyWALL is in router mode, there is no need to select or clear this radio button. IP Address Click LAN, WAN, DMZ or WLAN to go to the LAN, WAN, DMZ or WLAN screen where you can view and/or change the corresponding settings.
Page 541: Figure 294 You Can Use The Firewall And Vpn In Bridge Mode.maintenance > Device Mode (Bridge Mode)
ZyWALL 5/35/70 Series User’s Guide You can use the firewall and VPN in bridge mode. Figure 294 MAINTENANCE > Device Mode (Bridge Mode) The following table describes the labels in this screen. Table 194 MAINTENANCE > Device Mode (Bridge Mode) LABEL DESCRIPTION Current Device...
Page 542: F/W Upload Screen
ZyWALL 5/35/70 Series User’s Guide Table 194 MAINTENANCE > Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again.
Page 543: Figure 296 Firmware Upload In Process
ZyWALL 5/35/70 Series User’s Guide After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 296 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 544: Backup And Restore
ZyWALL 5/35/70 Series User’s Guide 31.11 Backup and Restore Section 47.5 on page 672 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 299 MAINTENANCE >...
Page 545: Restore Configuration
ZyWALL 5/35/70 Series User’s Guide 31.11.2 Restore Configuration Load a configuration file from your computer to your ZyWALL. Table 196 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 546: Back To Factory Defaults
ZyWALL 5/35/70 Series User’s Guide Figure 302 Configuration Upload Error 31.11.3 Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears.
Page 547: Figure 304 Maintenance > Restart
ZyWALL 5/35/70 Series User’s Guide Figure 304 MAINTENANCE > Restart Chapter 31 Maintenance...
Page 548 ZyWALL 5/35/70 Series User’s Guide Chapter 31 Maintenance...
Page 549: Chapter 32 Introducing The Smt
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 32.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 550: Entering The Password
ZyWALL 5/35/70 Series User’s Guide Figure 305 Initial Screen Copyright (c) 1994 - 2004 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
Page 551: Main Menu
ZyWALL 5/35/70 Series User’s Guide Table 197 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move to a Press [SPACE Fields beginning with “Edit” lead to hidden menus and have a “hidden” BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes, menu to Yes then press and then press [ENTER] to go to a “hidden”...
Page 552: Figure 307 Main Menu (Router Mode)
ZyWALL 5/35/70 Series User’s Guide Figure 307 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
Page 553: Smt Menus Overview
ZyWALL 5/35/70 Series User’s Guide Table 198 Main Menu Summary NO. MENU TITLE FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings. Internet Access Setup Configure your Internet access setup (Internet address, gateway, login, etc.) with this menu.
Page 554 ZyWALL 5/35/70 Series User’s Guide Table 199 SMT Menus Overview (continued) MENUS SUB MENUS 6 Route Setup (for the 6.1 Route Assessment ZyWALL 35 and the 6.2 Traffic Redirect ZyWALL 70) 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setup 7.1.1 WLAN MAC Address Filter 7.2 TCP/IP and DHCP...
Page 555: Changing The System Password
ZyWALL 5/35/70 Series User’s Guide Table 199 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and 24.2.1 System Information Console Port Speed 24.2.2 Console Port Speed 24.3 Log and Trace 24.3.1 View Error Log 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic...
Page 556: Resetting The Zywall
ZyWALL 5/35/70 Series User’s Guide Figure 309 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER].
Page 557: Smt Menu 1 - General Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 33.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Page 558: Figure 311 Menu 1: General Setup (Bridge Mode)
ZyWALL 5/35/70 Series User’s Guide Table 200 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”...
Page 559: Configuring Dynamic Dns
ZyWALL 5/35/70 Series User’s Guide 33.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
Page 560: Figure 313 Menu 1.1.1: Ddns Host Summary
ZyWALL 5/35/70 Series User’s Guide Figure 313 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 561: Figure 314 Menu 1.1.1: Ddns Edit Host
ZyWALL 5/35/70 Series User’s Guide Figure 314 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A...
Page 562 ZyWALL 5/35/70 Series User’s Guide Table 204 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
Page 563: Wan And Dial Backup Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 34.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
Page 564: Dial Backup
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this screen. Table 205 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 565: Advanced Wan Setup
ZyWALL 5/35/70 Series User’s Guide Figure 316 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String:...
Page 566: Figure 317 Menu 2.1: Advanced Wan Setup
ZyWALL 5/35/70 Series User’s Guide To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 567: Remote Node Profile (Backup Isp)
ZyWALL 5/35/70 Series User’s Guide Table 208 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 568: Figure 318 Menu 11.3: Remote Node Profile (Backup Isp)
ZyWALL 5/35/70 Series User’s Guide Figure 318 Menu 11.3: Remote Node Profile (Backup ISP) Menu 11.3 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My Password= ******** Telco Option: Retype to Confirm= ********...
Page 569: Editing Ppp Options
ZyWALL 5/35/70 Series User’s Guide Table 209 Menu 11.3: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 34.8 on page 570 for more information.
Page 570: Editing Tcp/Ip Options
ZyWALL 5/35/70 Series User’s Guide Figure 319 Menu 11.3.1: Remote Node PPP Options Menu 11.3.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
Page 571: Figure 320 Menu 11.3.2: Remote Node Network Layer Options
ZyWALL 5/35/70 Series User’s Guide Figure 320 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 15 Private= No...
Page 572: Editing Login Script
ZyWALL 5/35/70 Series User’s Guide Table 211 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
Page 573: Figure 321 Menu 11.3.3: Remote Node Script
ZyWALL 5/35/70 Series User’s Guide You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a ‘Send’...
Page 574: Remote Node Filter
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 212 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Page 575: Chapter 35 Lan Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Page 576: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 5/35/70 Series User’s Guide Figure 324 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 577: Figure 326 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL 5/35/70 Series User’s Guide Figure 326 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1...
Page 578: Table 214 Menu 3.2: Lan Tcp/Ip Setup Fields
ZyWALL 5/35/70 Series User’s Guide Table 213 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Page 579: Ip Alias Setup
ZyWALL 5/35/70 Series User’s Guide 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 580 ZyWALL 5/35/70 Series User’s Guide Table 215 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
Page 581: Chapter 36 Internet Access
ZyWALL 5/35/70 Series User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 582: Table 216 Menu 4: Internet Access Setup (Ethernet)
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 216 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
Page 583: Configuring The Pptp Client
ZyWALL 5/35/70 Series User’s Guide 36.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 584: Basic Setup Complete
ZyWALL 5/35/70 Series User’s Guide Figure 330 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 585: Chapter 37 Dmz Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 331 Menu 5: DMZ Setup Menu 5 - DMZ Setup...
Page 586: Ip Address
ZyWALL 5/35/70 Series User’s Guide 37.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 333 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2.
Page 587: Ip Alias Setup
ZyWALL 5/35/70 Series User’s Guide 37.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
Page 588 ZyWALL 5/35/70 Series User’s Guide Chapter 37 DMZ Setup...
Page 589: Chapter 38 Route Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. This chapter applies to the ZyWALL 35 and ZyWALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 336 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 590: Traffic Redirect
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 219 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility.
Page 591: Route Failover
ZyWALL 5/35/70 Series User’s Guide Table 220 Menu 6.2: Traffic Redirect FIELD DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.5 on page 151) The smaller the number, the higher...
Page 592 ZyWALL 5/35/70 Series User’s Guide Chapter 38 Route Setup...
Page 593: Chapter 39 Wireless Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wireless Setup Use menu 7 to set up your ZyWALL as the wireless access point. 39.1 Wireless LAN Setup Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 594: Table 222 Menu 7.1: Wireless Setup
ZyWALL 5/35/70 Series User’s Guide Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 222 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off Wireless LAN by default.
Page 595: Mac Address Filter Setup
ZyWALL 5/35/70 Series User’s Guide 39.1.1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Follow the steps below to create the MAC address table on your ZyWALL.
Page 596: Tcp/Ip Setup
ZyWALL 5/35/70 Series User’s Guide Table 223 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Address 1..12 Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are allowed or denied access to the ZyWALL in these address fields. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
Page 597: Ip Alias Setup
ZyWALL 5/35/70 Series User’s Guide Figure 343 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None TCP/IP Setup: Client IP Pool: Starting Address= N/A IP Address= 0.0.0.0 Size of Client IP Pool= N/A IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A...
Page 598: Figure 344 Menu 7.2.1: Ip Alias Setup
ZyWALL 5/35/70 Series User’s Guide Figure 344 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
Page 599: Chapter 40 Remote Node Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 600: Remote Node Profile Setup
ZyWALL 5/35/70 Series User’s Guide Figure 345 Menu 11: Remote Node Setup Menu 11 - Remote Node Setup 1. WAN_1 (ISP, SUA) 2. WAN_2 (ISP, NAT) 3. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: 40.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu.
Page 601: Table 224 Menu 11.1: Remote Node Profile For Ethernet Encapsulation
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 224 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters.
Page 602: Pppoe Encapsulation
ZyWALL 5/35/70 Series User’s Guide 40.3.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Figure 347 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe...
Page 603: Metric
ZyWALL 5/35/70 Series User’s Guide 40.3.2.3 Metric Section 8.5 on page 151 for details on the Metric field. Table 225 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
Page 604: Edit Ip
ZyWALL 5/35/70 Series User’s Guide Figure 348 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
Page 605: Figure 349 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
ZyWALL 5/35/70 Series User’s Guide Figure 349 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
Page 606: Remote Node Filter
ZyWALL 5/35/70 Series User’s Guide Table 227 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
Page 607: Traffic Redirect
ZyWALL 5/35/70 Series User’s Guide Figure 350 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 351 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets:...
Page 608: Figure 352 Menu 11.1.5: Traffic Redirect Setup
ZyWALL 5/35/70 Series User’s Guide Figure 352 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 609: Chapter 41 Ip Static Route Setup
ZyWALL 5/35/70 Series User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 41.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 610: Figure 354 Menu 12. 1: Edit Ip Static Route
ZyWALL 5/35/70 Series User’s Guide Figure 354 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL:...
Page 611: Network Address Translation (Nat)
ZyWALL 5/35/70 Series User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 42.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 612: Figure 355 Menu 4: Applying Nat For Internet Access
ZyWALL 5/35/70 Series User’s Guide Figure 355 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Page 613: Nat Setup
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 230 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
Page 614: Address Mapping Sets
ZyWALL 5/35/70 Series User’s Guide 42.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 358 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 42.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also...
Page 615: User-Defined Address Mapping Sets
ZyWALL 5/35/70 Series User’s Guide Note: Menu 15.1.255 is read-only. Table 231 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 616: Ordering Your Rules
ZyWALL 5/35/70 Series User’s Guide Figure 360 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Action= None...
Page 617: Figure 361 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 5/35/70 Series User’s Guide Note: You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken. Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.
Page 618: Configuring A Server Behind Nat
ZyWALL 5/35/70 Series User’s Guide Table 233 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Server This field is available only when you select Server in the Type field. Mapping Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…”...
Page 619: Figure 363 Menu 15.2.1: Nat Server Sets
ZyWALL 5/35/70 Series User’s Guide Figure 363 Menu 15.2.1: NAT Server Sets Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 620: Figure 364 15.2.1.2: Nat Server Configuration
ZyWALL 5/35/70 Series User’s Guide Figure 364 15.2.1.2: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1 Index= 2 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 621: General Nat Examples
ZyWALL 5/35/70 Series User’s Guide Figure 365 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 622: Figure 367 Nat Example 1
ZyWALL 5/35/70 Series User’s Guide Figure 367 NAT Example 1 Figure 368 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic...
Page 623: Example 2: Internet Access With A Default Server
ZyWALL 5/35/70 Series User’s Guide 42.4.2 Example 2: Internet Access with a Default Server Figure 369 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
Page 624: Figure 371 Nat Example 3
ZyWALL 5/35/70 Series User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 625: Figure 372 Example 3: Menu 11.1.2
ZyWALL 5/35/70 Series User’s Guide Figure 372 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A...
Page 626: Figure 374 Example 3: Final Menu 15.1.1
ZyWALL 5/35/70 Series User’s Guide Figure 374 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
Page 627: Example 4: Nat Unfriendly Application Programs
ZyWALL 5/35/70 Series User’s Guide 42.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 628: Trigger Port Forwarding
ZyWALL 5/35/70 Series User’s Guide Figure 378 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1...
Page 629: Figure 379 Menu 15.3.1: Trigger Port Setup
ZyWALL 5/35/70 Series User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN ports, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN port.
Page 630 ZyWALL 5/35/70 Series User’s Guide Chapter 42 Network Address Translation (NAT)
Page 631: Introducing The Zywall Firewall
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 43.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 632: Figure 381 Menu 21.2: Firewall Setup
ZyWALL 5/35/70 Series User’s Guide Figure 381 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 633: Chapter 44 Filter Configuration
ZyWALL 5/35/70 Series User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
Page 634: The Filter Structure Of The Zywall
ZyWALL 5/35/70 Series User’s Guide 44.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 635: Figure 383 Filter Rule Process
ZyWALL 5/35/70 Series User’s Guide Figure 383 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 636: Configuring A Filter Set
ZyWALL 5/35/70 Series User’s Guide 44.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 384 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Page 637: Configuring A Filter Rule
ZyWALL 5/35/70 Series User’s Guide Table 236 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
Page 638: Configuring A Tcp/Ip Filter Rule
ZyWALL 5/35/70 Series User’s Guide To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Page 639 ZyWALL 5/35/70 Series User’s Guide Table 238 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Destination IP Addr Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. Port # Enter the destination port of the packets that you wish to filter.
Page 640: Configuring A Generic Filter Rule
ZyWALL 5/35/70 Series User’s Guide Figure 387 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 44 Filter Configuration...
Page 641: Figure 388 Menu 21.1.1.1: Generic Filter Rule
ZyWALL 5/35/70 Series User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 642: Example Filter
ZyWALL 5/35/70 Series User’s Guide Table 239 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No.
Page 643: Figure 390 Example Filter: Menu 21.1.3.1
ZyWALL 5/35/70 Series User’s Guide 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Figure 390 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes...
Page 644: Filter Types And Nat
ZyWALL 5/35/70 Series User’s Guide M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example).
Page 645: Packet Filtering
ZyWALL 5/35/70 Series User’s Guide 44.5.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed. • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
Page 646: Applying A Filter
ZyWALL 5/35/70 Series User’s Guide 6 The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 647: Applying Remote Node Filters
ZyWALL 5/35/70 Series User’s Guide Figure 394 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 44.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below –...
Page 648 ZyWALL 5/35/70 Series User’s Guide Chapter 44 Filter Configuration...
Page 649: Chapter 45 Snmp Configuration
ZyWALL 5/35/70 Series User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 45.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 650: Snmp Traps
ZyWALL 5/35/70 Series User’s Guide Table 240 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 651: System Information & Diagnosis
ZyWALL 5/35/70 Series User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 652: Figure 398 Menu 24.1: System Maintenance: Status
ZyWALL 5/35/70 Series User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 398 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 08:17:55 Wed.
Page 653: System Information And Console Port Speed
ZyWALL 5/35/70 Series User’s Guide Table 242 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Rx B/s This field shows the reception speed in Bytes per second on this port. Up Time This is the total amount of time the line has been up. Ethernet Address This is the MAC address of the port listed on the left.
Page 654: Console Port Speed
ZyWALL 5/35/70 Series User’s Guide Figure 400 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Page 655: Log And Trace
ZyWALL 5/35/70 Series User’s Guide Figure 401 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 46.4 Log and Trace There are two logging facilities in the ZyWALL.
Page 656: Syslog Logging
ZyWALL 5/35/70 Series User’s Guide Figure 403 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up 55 Thu Jul...
Page 657: Packet Triggered
ZyWALL 5/35/70 Series User’s Guide Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next: 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board...
Page 658: Ppp Log
ZyWALL 5/35/70 Series User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP")
Page 659: Call-Triggering Packet
ZyWALL 5/35/70 Series User’s Guide 46.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 405 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
Page 660: Wan Dhcp
ZyWALL 5/35/70 Series User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 406 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1.
Page 661: Table 245 System Maintenance Menu Diagnostic
ZyWALL 5/35/70 Series User’s Guide Table 245 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Page 662 ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Information & Diagnosis...
Page 663: Firmware And Configuration File Maintenance
ZyWALL 5/35/70 Series User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 47.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.
Page 664: Backup Configuration
ZyWALL 5/35/70 Series User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Page 665: Using The Ftp Command From The Command Line
ZyWALL 5/35/70 Series User’s Guide Figure 408 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
Page 666: Example Of Ftp Commands From The Command Line
ZyWALL 5/35/70 Series User’s Guide 47.3.3 Example of FTP Commands from the Command Line Figure 409 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds...
Page 667: Backup Configuration Using Tftp
ZyWALL 5/35/70 Series User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 47.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Page 668: Gui-Based Tftp Clients
ZyWALL 5/35/70 Series User’s Guide 47.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 248 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
Page 669: Restore Configuration
ZyWALL 5/35/70 Series User’s Guide Figure 412 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Page 670: Figure 414 Telnet Into Menu 24.6
ZyWALL 5/35/70 Series User’s Guide Figure 414 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 671: Restore Using Ftp Session Example
ZyWALL 5/35/70 Series User’s Guide 47.4.2 Restore Using FTP Session Example Figure 415 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 672: Uploading Firmware And Configuration Files
ZyWALL 5/35/70 Series User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 419 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 47.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Page 673: Configuration File Upload
ZyWALL 5/35/70 Series User’s Guide Figure 420 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 674: Ftp File Upload Command From The Dos Prompt Example
ZyWALL 5/35/70 Series User’s Guide 47.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
Page 675: Tftp Upload Command Example
ZyWALL 5/35/70 Series User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –...
Page 676: Example Xmodem Firmware Upload Using Hyperterminal
ZyWALL 5/35/70 Series User’s Guide Figure 423 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 677: Example Xmodem Configuration Upload Using Hyperterminal
ZyWALL 5/35/70 Series User’s Guide Figure 425 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 678 ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmware and Configuration File Maintenance...
Page 679: System Maintenance Menus 8 To 10
ZyWALL 5/35/70 Series User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 48.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 680: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 428 Valid Commands Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 681: Call Control Support
ZyWALL 5/35/70 Series User’s Guide Table 249 Valid Commands COMMAND DESCRIPTION These commands configure bandwidth management settings and display bandwidth management information. These commands configure intrusion detection and prevention settings. These commands configure anti-virus settings. These commands configure anti-spam settings. certificates These commands display certificate information and configure certificate settings.
Page 682: Call History
ZyWALL 5/35/70 Series User’s Guide Figure 430 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 683: Time And Date Setting
ZyWALL 5/35/70 Series User’s Guide Figure 431 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 251 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
Page 684: Figure 432 Menu 24: System Maintenance
ZyWALL 5/35/70 Series User’s Guide Figure 432 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
Page 685: Table 252 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 5/35/70 Series User’s Guide Table 252 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 686 ZyWALL 5/35/70 Series User’s Guide Table 252 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
Page 687: Chapter 49 Remote Management
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 49.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: •...
Page 688: Figure 434 Menu 24.11 - Remote Management Control
ZyWALL 5/35/70 Series User’s Guide Figure 434 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert...
Page 689: Remote Management Limitations
ZyWALL 5/35/70 Series User’s Guide 49.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11.
Page 690 ZyWALL 5/35/70 Series User’s Guide Chapter 49 Remote Management...
Page 691: Chapter 50 Ip Policy Routing
ZyWALL 5/35/70 Series User’s Guide H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 692: Ip Routing Policy Setup
ZyWALL 5/35/70 Series User’s Guide Table 254 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 255 on page 692 detailed information.
Page 693: Figure 436 Menu 25.1: Ip Routing Policy Setup
ZyWALL 5/35/70 Series User’s Guide 1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary. 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure).
Page 694: Applying Policy To Packets
ZyWALL 5/35/70 Series User’s Guide Table 256 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end;...
Page 695: Ip Policy Routing Example
ZyWALL 5/35/70 Series User’s Guide Figure 437 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 696: Figure 438 Example Of Ip Policy Routing
ZyWALL 5/35/70 Series User’s Guide Figure 438 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
Page 697: Figure 439 Ip Routing Policy Example 1
ZyWALL 5/35/70 Series User’s Guide Figure 439 IP Routing Policy Example 1 Menu 25.1 - IP Routing Policy Setup Rule Index= 1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 192.168.1.33 end= 192.168.1.64...
Page 698: Figure 440 Ip Routing Policy Example 2
ZyWALL 5/35/70 Series User’s Guide Figure 440 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup Rule Index= 2 Active= No Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 0.0.0.0 end= N/A...
Page 699: Chapter 51 Call Scheduling
ZyWALL 5/35/70 Series User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 700: Figure 442 Schedule Set Setup
ZyWALL 5/35/70 Series User’s Guide Figure 442 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes How Often= Once Start Date(yyyy-mm-dd) = N/A Once: Date(yyyy-mm-dd)= 2000 - 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A Thursday= N/A Friday= N/A Saturday= N/A...
Page 701: Figure 443 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 5/35/70 Series User’s Guide Table 258 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line.
Page 702: Figure 444 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL 5/35/70 Series User’s Guide Figure 444 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
Page 703: Chapter 52 Troubleshooting
ZyWALL 5/35/70 Series User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 704: Problems With The Dmz Interface
ZyWALL 5/35/70 Series User’s Guide 52.3 Problems with the DMZ Interface Table 261 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide servers on the DMZ for DMZ connection instructions. from the LAN.
Page 705: Problems Accessing The Zywall
ZyWALL 5/35/70 Series User’s Guide 52.5 Problems Accessing the ZyWALL Table 263 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the The default password is “1234”. The password field is case sensitive. Make sure ZyWALL. that you enter the correct password using the proper casing. Use the Reset button to restore the factory default configuration file.
Page 706: Internet Explorer Pop-Up Blockers
ZyWALL 5/35/70 Series User’s Guide • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. 52.5.1.1 Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
Page 707: Figure 446 Internet Options: Privacy
ZyWALL 5/35/70 Series User’s Guide Figure 446 Internet Options: Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.
Page 708: Figure 447 Internet Options: Privacy
ZyWALL 5/35/70 Series User’s Guide Figure 447 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Chapter 52 Troubleshooting...
Page 709: Javascripts
ZyWALL 5/35/70 Series User’s Guide Figure 448 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 710: Figure 449 Internet Options: Security
ZyWALL 5/35/70 Series User’s Guide Figure 449 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
Page 711: Java Permissions
ZyWALL 5/35/70 Series User’s Guide Figure 450 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 712: Figure 451 Security Settings - Java
ZyWALL 5/35/70 Series User’s Guide Figure 451 Security Settings - Java 52.5.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window.
Page 713: Packet Flow
ZyWALL 5/35/70 Series User’s Guide Figure 452 Java (Sun) 52.6 Packet Flow The following is the packet check flow on the ZyWALL. LAN/DMZ/WLAN to WAN: LAN/DMZ Data and Call Filtering (in SMT menu 21) -> Firewall -> IDP -> Anti-Virus -> Anti-Spam -> Remote Node Data Filtering (in SMT menu 21) ->...
Page 714 ZyWALL 5/35/70 Series User’s Guide Chapter 52 Troubleshooting...
Page 715: Product Specifications
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 264 Device Specifications Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234...
Page 716: Table 265 Performance
ZyWALL 5/35/70 Series User’s Guide Table 264 Device Specifications (continued) Operation Humidity 20% ~ 95% RH (non-condensing) Storage Humidity 20% ~ 95% RH (non-condensing) Certifications EMC: FCC Class B, CE-EMC Class B, C-Tick Class B, VCCI Class B Safety: CSA International, CE EN60950-1 MTBF (Mean Time ZyWALL 70: 40.9 years Between Failures)
Page 717 ZyWALL 5/35/70 Series User’s Guide Table 266 Firmware Features (continued) Anti-Virus/IDP (Intrusion Accelerated by a ZyWALL Turbo Card Detection and Kaspersky anti-virus signatures Prevention) Virus, worm, trojan, backdoor, buffer overflow and port scan protection P2P, IM, web attack, protection Automatic scheduled signatures updates Real-time attack alerts and logs Anti-Spam Spam, Phishing detection...
Page 718: Table 267 Feature Specifications
ZyWALL 5/35/70 Series User’s Guide Table 266 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP...
Page 719: Table 268 Compatible Zyxel Wlan Cards And Security Features
ZyWALL 5/35/70 Series User’s Guide Table 267 Feature Specifications (continued) MODEL # FEATURE Number of Concurrent E-mail Sessions with Anti-Spam Enabled Number of Anti-Spam Whitelist and 12,288 Kb 6,144 Kb 3,072 Kb Individual entries Blacklist Entries Individual Individual my vary in size. The total entries my entries my number you can configure...
Page 720: Figure 453 Wlan Card Installation
ZyWALL 5/35/70 Series User’s Guide Note: Only certain ZyXEL wireless LAN cards are compatible with the ZyWALL. Do not force, bend or twist the wireless LAN card or ZyWALL Turbo Card. Figure 453 WLAN Card Installation Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment).
Page 721: Figure 455 Ethernet Cable Pin Assignments
ZyWALL 5/35/70 Series User’s Guide Table 269 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD Pin 3 = DTE-TXD...
Page 722 ZyWALL 5/35/70 Series User’s Guide Appendix A Product Specifications...
Page 723: Hardware Installation
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them.
Page 724: Figure 456 Attaching Rubber Feet
ZyWALL 5/35/70 Series User’s Guide Figure 456 Attaching Rubber Feet Note: Do not block the ventilation holes. Leave space between ZyWALLs when stacking. Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
Page 725: Figure 457 Attaching Mounting Brackets And Screws
ZyWALL 5/35/70 Series User’s Guide Figure 457 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws.
Page 726 ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation...
Page 727: Removing And Installing A Fuse
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. Note: If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications.
Page 728 ZyWALL 5/35/70 Series User’s Guide Appendix C Removing and Installing a Fuse...
Page 729: Setting Up Your Computer's Ip Address
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 730: Figure 459 Windows 95/98/Me: Network: Configuration
ZyWALL 5/35/70 Series User’s Guide Figure 459 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 731: Figure 460 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
ZyWALL 5/35/70 Series User’s Guide 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 732: Figure 461 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
ZyWALL 5/35/70 Series User’s Guide Figure 461 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
Page 733: Figure 462 Windows Xp: Start Menu
ZyWALL 5/35/70 Series User’s Guide Figure 462 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 463 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix D Setting up Your Computer’s IP Address...
Page 734: Figure 464 Windows Xp: Control Panel: Network Connections: Properties
ZyWALL 5/35/70 Series User’s Guide Figure 464 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 465 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 735: Figure 466 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 5/35/70 Series User’s Guide • Click Advanced. Figure 466 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 736: Figure 467 Windows Xp: Advanced Tcp/Ip Properties
ZyWALL 5/35/70 Series User’s Guide Figure 467 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). •...
Page 737: Figure 468 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 5/35/70 Series User’s Guide Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 738: Figure 469 Macintosh Os 8/9: Apple Menu
ZyWALL 5/35/70 Series User’s Guide Figure 469 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 470 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: Appendix D Setting up Your Computer’s IP Address...
Page 739: Figure 471 Macintosh Os X: Apple Menu
ZyWALL 5/35/70 Series User’s Guide • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel.
Page 740: Figure 472 Macintosh Os X: Network
ZyWALL 5/35/70 Series User’s Guide Figure 472 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 741: Figure 473 Red Hat 9.0: Kde: Network Configuration: Devices
ZyWALL 5/35/70 Series User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 742: Figure 475 Red Hat 9.0: Kde: Network Configuration: Dns
ZyWALL 5/35/70 Series User’s Guide • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
Page 743: Figure 477 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
ZyWALL 5/35/70 Series User’s Guide • If you have a dynamic IP address, enter in the dhcp BOOTPROTO= field. The following figure shows an example. Figure 477 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet •...
Page 744: Figure 480 Red Hat 9.0: Restart Ethernet Card
ZyWALL 5/35/70 Series User’s Guide Figure 480 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] Verifying Settings Enter...
Page 745: Ip Addresses And Subnetting
ZyWALL 5/35/70 Series User’s Guide P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID.
Page 746: Table 270 Classes Of Ip Addresses
ZyWALL 5/35/70 Series User’s Guide The following table shows the network number and host ID arrangement for classes A, B and Table 270 Classes of IP Addresses IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class A Network number Host ID Host ID Host ID...
Page 747: Table 272 "Natural" Masks
ZyWALL 5/35/70 Series User’s Guide Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the IP address is part of the network number.
Page 748: Table 274 Two Subnets Example
ZyWALL 5/35/70 Series User’s Guide Table 273 Alternative Subnet Mask Notation (continued) SUBNET MASK SUBNET MASK “1” BITS LAST OCTET BIT VALUE DECIMAL 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used.
Page 749: Table 275 Subnet 1
ZyWALL 5/35/70 Series User’s Guide Table 275 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.126 192.168.1.127 Table 276 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
Page 750: Table 278 Subnet 2
ZyWALL 5/35/70 Series User’s Guide Table 277 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 Table 278 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address...
Page 751: Table 281 Eight Subnets
ZyWALL 5/35/70 Series User’s Guide The following table shows class C IP address last octet values for each subnet. Table 281 Eight Subnets BROADCAST SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS ADDRESS The following table is a summary for class “C” subnet planning. Table 282 Class C Subnet Planning NO.
Page 752: Table 283 Class B Subnet Planning
ZyWALL 5/35/70 Series User’s Guide The following table is a summary for class “B” subnet planning. Table 283 Class B Subnet Planning NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20)
Page 753: Appendix F Common Services
ZyWALL 5/35/70 Series User’s Guide Appendix F Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 754 ZyWALL 5/35/70 Series User’s Guide Table 284 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICMP User-Defined Internet Control Message Protocol is often...
Page 755 ZyWALL 5/35/70 Series User’s Guide Table 284 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 756 ZyWALL 5/35/70 Series User’s Guide Appendix F Common Services...
Page 757: Appendix G Wireless Lans
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C).
Page 758: Figure 483 Basic Service Set
ZyWALL 5/35/70 Series User’s Guide Figure 483 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 759: Figure 484 Infrastructure Wlan
ZyWALL 5/35/70 Series User’s Guide Figure 484 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.
Page 760: Figure 485 Rts/Cts
ZyWALL 5/35/70 Series User’s Guide Figure 485 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 761: Table 285 Ieee802.11G
ZyWALL 5/35/70 Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Page 762 ZyWALL 5/35/70 Series User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: •...
Page 763: Figure 486 Eap Authentication
ZyWALL 5/35/70 Series User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...
Page 764: Types Of Authentication
ZyWALL 5/35/70 Series User’s Guide 3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP- TTLS, PEAP and LEAP.
Page 765 ZyWALL 5/35/70 Series User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.
Page 766: Figure 487 Wep Authentication Steps
ZyWALL 5/35/70 Series User’s Guide Figure 487 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.
Page 767: Table 286 Comparison Of Eap Authentication Types
ZyWALL 5/35/70 Series User’s Guide If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption.
Page 768: Table 287 Wireless Security Relational Matrix
ZyWALL 5/35/70 Series User’s Guide The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations.
Page 769: Figure 488 Roaming Example
ZyWALL 5/35/70 Series User’s Guide Roaming A wireless station is a device with an IEEE 802.11 mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.
Page 770 ZyWALL 5/35/70 Series User’s Guide 3 Access point P2 acknowledges the presence of wireless station Y and relays this information to access point P1 through the wired LAN. 4 Access point P1 updates the new position of wireless station. 5 Wireless station Y sends a request to access point P2 for re-authentication. Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas.
Page 771: Windows 98 Se/Me Requirements For Anti-Virus Message Display
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Page 772: Figure 491 Windows 98 Se: Task Bar Properties
ZyWALL 5/35/70 Series User’s Guide Figure 491 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 492 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Page 773: Figure 493 Windows 98 Se: Startup: Create Shortcut
ZyWALL 5/35/70 Series User’s Guide Figure 493 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 494 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Appendix H Windows 98 SE/Me Requirements for Anti-Virus Message Display...
Page 774: Figure 495 Windows 98 Se: Startup: Shortcut
ZyWALL 5/35/70 Series User’s Guide Figure 495 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 489 on page 771). Appendix H Windows 98 SE/Me Requirements for Anti-Virus Message Display...
Page 775: Appendix Ivpn Setup
ZyWALL 5/35/70 Series User’s Guide P P E N D I X VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes •...
Page 776: Figure 496 Vpn Rules
ZyWALL 5/35/70 Series User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
Page 777: Figure 497 Headquarters Gateway Policy Edit
ZyWALL 5/35/70 Series User’s Guide Figure 497 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router. Appendix I VPN Setup...
Page 778: Figure 498 Branch Office Gateway Policy Edit
ZyWALL 5/35/70 Series User’s Guide Figure 498 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. Appendix I VPN Setup...
Page 779: Figure 499 Headquarters Vpn Rule
ZyWALL 5/35/70 Series User’s Guide Figure 499 Headquarters VPN Rule Figure 500 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. Appendix I VPN Setup...
Page 780: Figure 501 Headquarters Network Policy Edit
ZyWALL 5/35/70 Series User’s Guide Figure 501 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets. Appendix I VPN Setup...
Page 781: Figure 502 Branch Office Network Policy Edit
ZyWALL 5/35/70 Series User’s Guide Figure 502 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
Page 782: Figure 503 Vpn Rule Configured
ZyWALL 5/35/70 Series User’s Guide Figure 503 VPN Rule Configured The following screen displays. Figure 504 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 505 VPN Tunnel Established Appendix I VPN Setup...
Page 783: Vpn Troubleshooting
ZyWALL 5/35/70 Series User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem.
Page 784: Figure 506 Vpn Log Example
ZyWALL 5/35/70 Series User’s Guide Figure 506 VPN Log Example ras> sys log disp ike ipsec .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE...
Page 785: Figure 507 Ike/Ipsec Debug Example
ZyWALL 5/35/70 Series User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 786: Use A Vpn Tunnel
ZyWALL 5/35/70 Series User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
Page 787: Importing Certificates
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 788: Figure 509 Login Screen
ZyWALL 5/35/70 Series User’s Guide Figure 509 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 510 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix J Importing Certificates...
Page 789: Figure 511 Certificate Import Wizard 1
ZyWALL 5/35/70 Series User’s Guide Figure 511 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 512 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix J Importing Certificates...
Page 790: Figure 513 Certificate Import Wizard 3
ZyWALL 5/35/70 Series User’s Guide Figure 513 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 514 Root Certificate Store Appendix J Importing Certificates...
Page 791: Figure 515 Certificate General Information After Import
ZyWALL 5/35/70 Series User’s Guide Figure 515 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 792: Figure 516 Zywall Trusted Ca Screen
ZyWALL 5/35/70 Series User’s Guide Figure 516 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 793: Figure 517 Ca Certificate Example
ZyWALL 5/35/70 Series User’s Guide Figure 517 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 794: Figure 518 Personal Certificate Import Wizard 1
ZyWALL 5/35/70 Series User’s Guide Figure 518 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 519 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 795: Figure 520 Personal Certificate Import Wizard 3
ZyWALL 5/35/70 Series User’s Guide Figure 520 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 521 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Page 796: Figure 522 Personal Certificate Import Wizard 5
ZyWALL 5/35/70 Series User’s Guide Figure 522 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 523 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 797: Figure 525 Ssl Client Authentication
ZyWALL 5/35/70 Series User’s Guide Figure 525 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 526 ZyWALL Secure Login Screen Appendix J Importing Certificates...
Page 798 ZyWALL 5/35/70 Series User’s Guide Appendix J Importing Certificates...
Page 799: Appendix K Command Interpreter
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 800: Figure 527 Displaying Log Categories Example
ZyWALL 5/35/70 Series User’s Guide Figure 527 Displaying Log Categories Example ras> sys logs category 8021x access attack display error icmp ipsec javablocked mten packetfilter remote tcpreset traffic upnp urlblocked urlforward wireless 3 Use followed by a log category to display the parameters that are sys logs category available for the category.
Page 801: Log Command Example
ZyWALL 5/35/70 Series User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Page 802: Figure 529 Routing Command Example
ZyWALL 5/35/70 Series User’s Guide Figure 529 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request.
Page 803: Figure 530 Backup Gateway
ZyWALL 5/35/70 Series User’s Guide A backup gateway (as in the following graphic) is an example of when you might want to turn on the forced update for gratuitous ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address.
Page 804: Figure 531 Managing The Bandwidth Of An Ipsec Sa
ZyWALL 5/35/70 Series User’s Guide Figure 531 Managing the Bandwidth of an IPSec SA with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router.
Page 805: Figure 533 Routing Command Example
ZyWALL 5/35/70 Series User’s Guide Setting the Key Length for Phase 2 IPSec AES Encryption Syntax: ipsec ipsecConfig encryKeyLen <0:128 | 1:192 | 2:256> By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key.
Page 806 ZyWALL 5/35/70 Series User’s Guide Appendix K Command Interpreter...
Page 807: Appendix L Firewall Commands
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. See Appendix K on page 799 for information on the command structure. Table 288 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up This command turns the firewall on or off.
Page 808 ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 809 ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 810 ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set ZyWALL creates logs for packets that match #>...
Page 811 ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 812 ZyWALL 5/35/70 Series User’s Guide Appendix L Firewall Commands...
Page 813: Netbios Filter Commands
ZyWALL 5/35/70 Series User’s Guide P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix K on page 799 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 814: Table 289 Netbios Filter Default Settings
ZyWALL 5/35/70 Series User’s Guide The filter types and their default settings are as follows. Table 289 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block...
Page 815 ZyWALL 5/35/70 Series User’s Guide This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on sys filter netbios This command stops NetBIOS commands from initiating calls. config 4 off Appendix M NetBIOS Filter Commands...
Page 816 ZyWALL 5/35/70 Series User’s Guide Appendix M NetBIOS Filter Commands...
Page 817: Certificates Commands
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Certificates Commands The following describes the certificate commands. See Appendix K on page 799 information on the command structure. All of these commands start with certificates. Table 290 Certificates Commands COMMAND DESCRIPTION my_cert...
Page 818 ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 819 ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. ca_trusted Import the PEM-encoded certificate from stdin.
Page 820 ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
Page 821: Brute-Force Password Guessing Protection
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 822 ZyWALL 5/35/70 Series User’s Guide Appendix O Brute-Force Password Guessing Protection...
Page 823: Appendix P Boot Commands
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 824: Figure 535 Boot Module Commands
ZyWALL 5/35/70 Series User’s Guide Figure 535 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show...
Page 825: Index
ZyWALL 5/35/70 Series User’s Guide Index Numerics real-time alert message scanner types Windows 98/Me requirements 10/100 Mbps DMZ anti-virus scan packet types 10/100 Mbps LAN 56, 594, 759 10/100 Mbps WAN Application Layer Gateway. See ALG. 9600 baud applications Arial font, bold asymmetrical routes vs virtual interfaces AT command...
Page 826 ZyWALL 5/35/70 Series User’s Guide blacklist 288, 296 command line bold commands Arial font Times New Roman font computer names 132, 134 boot sector virus computer virus BPDU infection and prevention types bridge firewall 57, 74, 143, 539, 540 concurrent e-mail sessions Bridge Protocol Data Unit.
Page 827 ZyWALL 5/35/70 Series User’s Guide use server detected IP e-Mule wildcard Encapsulating Security Payload. See ESP. default configuration encapsulation 582, 601, 604 default server IP address and active protocol transport mode default settings tunnel mode Denial of Service. See DoS. device introduction encryption DHCP...
Page 828 ZyWALL 5/35/70 Series User’s Guide filter 574, 585, 606, 633 full-duplex 56, 57 and NAT fuse applying replacement configuration type configuring example filter rule execution generic filter rule incoming protocol IP filter logic flow gateway IP address 582, 605, 610 protocol general setup 531, 557...
Page 829 ZyWALL 5/35/70 Series User’s Guide and certificates active protocol and RADIUS authentication algorithms 327, 333 authentication algorithms 327, 333 authentication key (manual keys) Diffie-Hellman key group encapsulation encryption algorithms 327, 333 encryption algorithms 327, 333 extended authentication encryption key (manual keys) ID content local policy ID type...
Page 830 ZyWALL 5/35/70 Series User’s Guide MAC Service Data Unit. See MSDU. mapping types NAT unfriendly applications macro virus One to One mail sessions threshold ordering rules main menu commands port forwarding maintenance port restricted cone Management Information Base. See MIB. Server server set managing subscription services...
Page 831 ZyWALL 5/35/70 Series User’s Guide Point-to-Point Protocol over Ethernet. See PPPoE Point-to-Point Tunneling Protocol. See PPTP. policy actions Quality of Service. See QoS. types query view (IDP) policy query, IDP Quick Start Guide policy routing 417, 691 quick start guide benefits cost savings criteria...
Page 832 ZyWALL 5/35/70 Series User’s Guide required fields life time reset button 57, 68 safety warnings resetting the time scanner types resetting the ZyWALL schedule 601, 604 duration restore configuration 545, 669 via console port scheduler restoring factory defaults searching for IDP signatures restoring files secure FTP using SSH via console port...
Page 833 ZyWALL 5/35/70 Series User’s Guide GetNext manager 468, 469 target market password task bar properties Trap TCP maximum incomplete trusted host TCP/IP SNMP service and DHCP Ethernet setup source address filter rule setup source-based routing Telnet SPACE BAR Temporal Key Integrity Protocol. See TKIP. spam score terminal emulation...
Page 834 ZyWALL 5/35/70 Series User’s Guide unicast file maintenance Universal Plug and Play. See UPnP. port unsolicited commercial e-mail WAN backup upgrading firmware WAN DHCP upload WAN IP address firmware WAN setup UPnP 475, 476 examples warranty forum note NAT traversal web attack port mapping web configurator...
Page 835 ZyWALL 5/35/70 Series User’s Guide ZyNOS 654, 664 ZyWALL registration ZyXEL’s Network Operating System. See ZyNOS. Index...

This manual is also suitable for:

Zywall 70 series Zywall 35 series

ZyXEL Communications ZyWall 5 Series User Manual

Copyright

Certifications

Safety Warnings

Zyxel Limited Warranty

Customer Support

Table of Contents

List of Figures

List of Tables

Preface

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Tutorial

Chapter 5 Registration

Chapter 6 LAN Screens

Chapter 7 Bridge Screens

Chapter 8 WAN Screens

Chapter 9 DMZ Screens

Chapter 10 Wireless LAN

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall 5 Series

Summary of Contents for ZyXEL Communications ZyWall 5 Series