ZyWALL 5/35/70 Series User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
ZyWALL 5/35/70 Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. •...
Page 6
ZyWALL 5/35/70 Series User’s Guide This product is recyclable. Dispose of it properly. Safety Warnings...
ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...
• Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. CORPORATE www.europe.zyxel.com 6 Innovation Road II HEADQUARTERS Science Park sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Hsinchu 300 (WORLDWIDE) Taiwan ftp.europe.zyxel.com...
Page 9
METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S Nils Hansens vei 13 NORWAY sales@zyxel.no +47-22-80-61-81 0667 Oslo Norway info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications ul. Okrzei 1A...
Page 10
ZyWALL 5/35/70 Series User’s Guide Customer Support...
ZyWALL 5/35/70 Series User’s Guide Table of Contents Copyright ........................3 Certifications ......................4 Safety Warnings ....................... 5 ZyXEL Limited Warranty..................7 Customer Support....................8 Table of Contents ....................11 List of Figures ......................31 List of Tables ......................45 Preface ........................
Page 12
ZyWALL 5/35/70 Series User’s Guide 2.4.5 Navigation Panel ..................78 2.4.6 Port Statistics ...................83 2.4.7 Show Statistics: Line Chart ................84 2.4.8 DHCP Table Screen ................85 2.4.9 VPN Status ....................86 2.4.10 Bandwidth Monitor ..................87 Chapter 3 Wizard Setup ......................89 3.1 Wizard Setup Overview ..................89 3.2 Internet Access ....................90 3.2.1 ISP Parameters ..................90 3.2.1.1 Ethernet ...................90...
Page 13
ZyWALL 5/35/70 Series User’s Guide Chapter 6 LAN Screens......................129 6.1 LAN, WAN and the ZyWALL ................129 6.2 IP Address and Subnet Mask ................129 6.2.1 Private IP Addresses ................130 6.3 DHCP .......................131 6.3.1 IP Pool Setup ..................131 6.4 RIP Setup ......................131 6.5 Multicast ......................131 6.6 WINS ........................132 6.7 LAN ........................132...
Page 14
ZyWALL 5/35/70 Series User’s Guide 8.8 WAN Route ......................157 8.9 WAN IP Address Assignment ................159 8.10 DNS Server Address Assignment ..............159 8.11 WAN MAC Address ..................160 8.12 WAN ......................160 8.12.1 WAN Ethernet Encapsulation ...............160 8.12.2 PPPoE Encapsulation ................163 8.12.3 PPTP Encapsulation ................166 8.13 Traffic Redirect ..................170 8.14 Configuring Traffic Redirect ................170...
Page 15
ZyWALL 5/35/70 Series User’s Guide 10.9.1 Introduction to RADIUS ................200 10.9.1.1 Types of RADIUS Messages ............200 10.9.2 EAP Authentication Overview ...............201 10.10 Dynamic WEP Key Exchange ..............202 10.11 Introduction to WPA ..................202 10.11.1 User Authentication ................202 10.11.2 Encryption ...................202 10.12 WPA-PSK Application Example ..............203 10.13 Introduction to RADIUS ................204 10.14 WPA with RADIUS Application Example ............204 10.15 Wireless Client WPA Supplicants ..............205...
Page 16
ZyWALL 5/35/70 Series User’s Guide 11.13.1 Firewall Edit Custom Service ..............245 11.14 My Service Firewall Rule Example ...............246 Chapter 12 Intrusion Detection and Prevention (IDP) ............251 12.1 Introduction to IDP ..................251 12.1.1 Firewalls and Intrusions ................251 12.1.2 IDS and IDP ..................252 12.1.3 Host IDP ....................252 12.1.4 Network IDP ..................252 12.1.5 Example Intrusions ................253...
Page 17
ZyWALL 5/35/70 Series User’s Guide 14.2.2 Notes About the ZyWALL Anti-Virus .............273 14.3 General Anti-Virus Setup ................274 14.4 Signature Searching ..................276 14.4.1 Signature Search Example ..............278 14.5 Signature Update ..................281 14.5.1 mySecurityZone ..................281 14.5.2 Configuring Anti-virus Update ..............281 14.6 Backup and Restore ..................283 Chapter 15 Anti-Spam ......................
Page 18
ZyWALL 5/35/70 Series User’s Guide Chapter 17 Content Filtering Reports ..................315 17.1 Checking Content Filtering Activation ............315 17.2 Viewing Content Filtering Reports ..............315 17.3 Web Site Submission ..................320 Chapter 18 IPSec VPN ......................323 18.1 IPSec VPN Overview ...................323 18.1.1 IKE SA Overview ..................324 18.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router ...324 18.2 VPN Rules (IKE) ....................325...
Page 19
ZyWALL 5/35/70 Series User’s Guide 18.16.1 Hub-and-spoke VPN Example ............360 18.16.2 Hub-and-spoke Example VPN Rule Addresses .........360 18.16.3 Hub-and-spoke VPN Requirements and Suggestions ......361 Chapter 19 Certificates......................363 19.1 Certificates Overview ..................363 19.1.1 Advantages of Certificates ..............364 19.2 Self-signed Certificates ..................364 19.3 Verifying a Certificate ..................364 19.3.1 Checking the Fingerprint of a Certificate on Your Computer ....364 19.4 Configuration Summary .................365...
Page 20
ZyWALL 5/35/70 Series User’s Guide 21.1.5 Port Restricted Cone NAT ..............398 21.1.6 NAT Mapping Types ................398 21.2 Using NAT ......................399 21.2.1 SUA (Single User Account) Versus NAT ..........399 21.3 NAT Overview Screen ..................400 21.4 NAT Address Mapping .................401 21.4.1 NAT Address Mapping Edit ..............403 21.5 Port Forwarding .....................404 21.5.1 Default Server IP Address ..............405 21.5.2 Port Forwarding: Services and Port Numbers ........405...
Page 21
ZyWALL 5/35/70 Series User’s Guide 24.7.5 Maximize Bandwidth Usage Example ..........426 24.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 427 24.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ... 24.8 Bandwidth Borrowing ..................428 24.8.1 Bandwidth Borrowing Example .............428 24.9 Maximize Bandwidth Usage With Bandwidth Borrowing ........429 24.10 Over Allotment of Bandwidth ................429 24.11 Configuring Summary ...................430 24.12 Configuring Class Setup...
Page 22
ZyWALL 5/35/70 Series User’s Guide 26.4.2 Netscape Navigator Warning Messages ..........456 26.4.3 Avoiding the Browser Warning Messages ..........457 26.4.4 Login Screen ..................457 26.5 SSH ......................460 26.6 How SSH Works ....................460 26.7 SSH Implementation on the ZyWALL .............461 26.7.1 Requirements for Using SSH ..............462 26.8 Configuring SSH ....................462 26.9 Secure Telnet Using SSH Examples ..............463 26.9.1 Example 1: Microsoft Windows .............463...
Page 24
ZyWALL 5/35/70 Series User’s Guide 31.5.2 Time Server Synchronization ..............536 31.6 Introduction To Transparent Bridging .............537 31.7 Transparent Firewalls ..................538 31.8 Configuring Device Mode (Router) ..............539 31.9 Configuring Device Mode (Bridge) ..............540 31.10 F/W Upload Screen ..................542 31.11 Backup and Restore ..................544 31.11.1 Backup Configuration ................544 31.11.2 Restore Configuration .................545 31.11.3 Back to Factory Defaults ..............546...
Page 25
ZyWALL 5/35/70 Series User’s Guide Chapter 35 LAN Setup......................575 35.1 Introduction to LAN Setup ................575 35.2 Accessing the LAN Menus ................575 35.3 LAN Port Filter Setup ..................575 35.4 TCP/IP and DHCP Ethernet Setup Menu ............576 35.4.1 IP Alias Setup ..................579 Chapter 36 Internet Access ....................
Page 27
ZyWALL 5/35/70 Series User’s Guide 44.2 Configuring a Filter Set ..................636 44.2.1 Configuring a Filter Rule ...............637 44.2.2 Configuring a TCP/IP Filter Rule ............638 44.2.3 Configuring a Generic Filter Rule ............640 44.3 Example Filter ....................642 44.4 Filter Types and NAT ..................644 44.5 Firewall Versus Filters ..................644 44.5.1 Packet Filtering: ..................645 44.5.1.1 When To Use Filtering ..............645...
Page 28
ZyWALL 5/35/70 Series User’s Guide 47.3.4 GUI-based FTP Clients .................666 47.3.5 File Maintenance Over WAN ..............666 47.3.6 Backup Configuration Using TFTP ............667 47.3.7 TFTP Command Example ..............667 47.3.8 GUI-based TFTP Clients ..............668 47.3.9 Backup Via Console Port ..............668 47.4 Restore Configuration ..................669 47.4.1 Restore Using FTP ................669 47.4.2 Restore Using FTP Session Example ..........671 47.4.3 Restore Via Console Port ..............671...
Page 29
ZyWALL 5/35/70 Series User’s Guide 50.3 IP Policy Routing Example ................695 Chapter 51 Call Scheduling ....................699 51.1 Introduction to Call Scheduling ..............699 Chapter 52 Troubleshooting ....................703 52.1 Problems Starting Up the ZyWALL ..............703 52.2 Problems with the LAN Interface ..............703 52.3 Problems with the DMZ Interface ..............704 52.4 Problems with the WAN Interface ..............704 52.5 Problems Accessing the ZyWALL ..............705...
Page 30
ZyWALL 5/35/70 Series User’s Guide Importing Certificates ..................787 Appendix K Command Interpreter................... 799 Appendix L Firewall Commands ..................... 807 Appendix M NetBIOS Filter Commands .................. 813 Appendix N Certificates Commands ..................817 Appendix O Brute-Force Password Guessing Protection............. 821 Appendix P Boot Commands ....................
Page 33
ZyWALL 5/35/70 Series User’s Guide Figure 81 DMZ Public Address Example ................186 Figure 82 DMZ Private and Public Address Example ............187 Figure 83 NETWORK > DMZ > Port Roles ................ 188 Figure 84 NETWORK > WLAN ..................190 Figure 85 NETWORK >...
Page 34
ZyWALL 5/35/70 Series User’s Guide Figure 123 Firewall Edit Custom Service ................245 Figure 124 My Service Firewall Rule Example: Service ............ 246 Figure 125 My Service Firewall Rule Example: Edit Custom Service ........ 247 Figure 126 My Service Firewall Rule Example: Rule Summary .......... 247 Figure 127 My Service Firewall Rule Example: Rule Edit ..........
Page 35
ZyWALL 5/35/70 Series User’s Guide Figure 166 Requested URLs Example ................320 Figure 167 Web Page Review Process Screen ..............321 Figure 168 VPN: Example ....................323 Figure 169 VPN: IKE SA and IPSec SA ................324 Figure 170 Gateway and Network Policies ................ 325 Figure 171 IPSec Fields Summary ...................
Page 36
ZyWALL 5/35/70 Series User’s Guide Figure 209 SECURITY > AUTH SERVER > RADIUS ............393 Figure 210 How NAT Works ....................396 Figure 211 NAT Application With IP Alias ................397 Figure 212 Port Restricted Cone NAT Example ..............398 Figure 213 ADVANCED >...
Page 37
ZyWALL 5/35/70 Series User’s Guide Figure 252 SSH Example 1: Store Host Key ............... 463 Figure 253 SSH Example 2: Test ..................464 Figure 254 SSH Example 2: Log in ..................464 Figure 255 Secure FTP: Firmware Upload Example ............465 Figure 256 Telnet Configuration on a TCP/IP Network ............
Page 38
ZyWALL 5/35/70 Series User’s Guide Figure 294 You can use the firewall and VPN in bridge mode.MAINTENANCE > Device Mode (Bridge Mode) ......................541 Figure 295 MAINTENANCE > Firmware Upload ..............542 Figure 296 Firmware Upload In Process ................543 Figure 297 Network Temporarily Disconnected ..............
Page 39
ZyWALL 5/35/70 Series User’s Guide Figure 336 Menu 6: Route Setup ..................589 Figure 337 Menu 6.1: Route Assessment ................589 Figure 338 Menu 6.2: Traffic Redirect ................. 590 Figure 339 Menu 6.3: Route Failover .................. 591 Figure 340 Menu 7.1: Wireless Setup ................. 593 Figure 341 Menu 7.1.1: WLAN MAC Address Filter ............
Page 40
ZyWALL 5/35/70 Series User’s Guide Figure 378 Example 4: Menu 15.1.1: Address Mapping Rules ........... 628 Figure 379 Menu 15.3.1: Trigger Port Setup ............... 629 Figure 380 Menu 21: Filter and Firewall Setup ..............631 Figure 381 Menu 21.2: Firewall Setup ................632 Figure 382 Outgoing Packet Filtering Process ..............
Page 41
ZyWALL 5/35/70 Series User’s Guide Figure 421 Telnet Into Menu 24.7.2: System Maintenance ..........673 Figure 422 FTP Session Example of Firmware File Upload ..........674 Figure 423 Menu 24.7.1 As Seen Using the Console Port ..........676 Figure 424 Example Xmodem Upload ................676 Figure 425 Menu 24.7.2 As Seen Using the Console Port ..........
Page 42
ZyWALL 5/35/70 Series User’s Guide Figure 464 Windows XP: Control Panel: Network Connections: Properties ....... 734 Figure 465 Windows XP: Local Area Connection Properties ..........734 Figure 466 Windows XP: Internet Protocol (TCP/IP) Properties ......... 735 Figure 467 Windows XP: Advanced TCP/IP Properties ............736 Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties .........
Page 43
ZyWALL 5/35/70 Series User’s Guide Figure 507 IKE/IPSec Debug Example ................785 Figure 508 Security Certificate .................... 787 Figure 509 Login Screen ..................... 788 Figure 510 Certificate General Information before Import ........... 788 Figure 511 Certificate Import Wizard 1 ................789 Figure 512 Certificate Import Wizard 2 ................
Page 44
ZyWALL 5/35/70 Series User’s Guide List of Figures...
ZyWALL 5/35/70 Series User’s Guide List of Tables Table 1 ZyWALL Model Specific Features ................. 55 Table 2 Front Panel Lights ....................64 Table 3 Title Bar: Web Configurator Icons ................70 Table 4 Web Configurator HOME Screen in Router Mode ..........71 Table 5 Web Configurator HOME Screen in Bridge Mode ..........
Page 46
ZyWALL 5/35/70 Series User’s Guide Table 39 Example of Network Properties for LAN Servers with Fixed IP Addresses ..160 Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) ......... 161 Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) ........... 165 Table 42 NETWORK >...
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
ZyWALL 5/35/70 Series User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), anti-virus and certificates.
ZyWALL 5/35/70 Series User’s Guide Table 1 ZyWALL Model Specific Features MODEL # FEATURE Changing Port Roles between the LAN and DMZ Policy Route Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
ZyWALL 5/35/70 Series User’s Guide The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention. They allow data transfers of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Page 58
ZyWALL 5/35/70 Series User’s Guide SIP Passthrough The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. STP (Spanning Tree Protocol) / RSTP (Rapid STP) When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers.
Page 59
ZyWALL 5/35/70 Series User’s Guide Firewall The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
Page 60
ZyWALL 5/35/70 Series User’s Guide RADIUS (RFC2138, 2139) The ZyWALL can work with a RADIUS (Remote Authentication Dial In User Service) server for user authentication, authorization and accounting. IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.
Page 61
ZyWALL 5/35/70 Series User’s Guide PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.
Page 62
ZyWALL 5/35/70 Series User’s Guide Network Address Translation (NAT Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
ZyWALL 5/35/70 Series User’s Guide Upgrade ZyWALL Firmware via LAN The firmware of the ZyWALL can be upgraded via the LAN. Embedded FTP and TFTP Servers The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
ZyWALL 5/35/70 Series User’s Guide Figure 2 VPN Application 1.3.3 Front Panel Lights Figure 3 ZyWALL 70 Front Panel Figure 4 ZyWALL 35 Front Panel Figure 5 ZyWALL 5 Front Panel The following table describes the lights. Table 2 Front Panel Lights COLOR STATUS DESCRIPTION...
Page 65
ZyWALL 5/35/70 Series User’s Guide Table 2 Front Panel Lights (continued) COLOR STATUS DESCRIPTION CARD Green The wireless LAN is not ready, or has failed. The wireless LAN is ready. Flashing The wireless LAN is sending or receiving packets. LAN 10/100 The LAN/DMZ is not connected.
Page 66
ZyWALL 5/35/70 Series User’s Guide Chapter 1 Getting to Know Your ZyWALL...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
ZyWALL 5/35/70 Series User’s Guide Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
ZyWALL 5/35/70 Series User’s Guide 1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2. 2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on.
ZyWALL 5/35/70 Series User’s Guide Figure 9 HOME Screen As illustrated above, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window • D - status bar 2.4.1 Title Bar The title bar provides some icons in the upper right corner.
ZyWALL 5/35/70 Series User’s Guide 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE >...
Page 72
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION System Name This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
Page 73
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full- duplex refers to a device's ability to send and receive simultaneously, while half- duplex indicates that traffic can flow in only one direction at a time.
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired. Top 5 Intrusion &...
ZyWALL 5/35/70 Series User’s Guide You can use the firewall and VPN in bridge mode. Figure 11 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 5 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Automatic...
Page 76
ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
Page 77
ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port.
ZyWALL 5/35/70 Series User’s Guide Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Status Port Statistics Click Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port. Click VPN to display the active VPN connections.
ZyWALL 5/35/70 Series User’s Guide Table 6 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Remote Management UPnP Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 80
ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION General This screen allows you to configure load balancing, route priority and traffic redirect properties. Route This screen allows you to configure route priority. (ZyWALL 5 only) WAN (ZyWALL Use this screen to configure the WAN port for internet access.
Page 81
ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Signature Use these screens to view signatures by attack type or search for signatures by signature name, ID, severity, target operating system, action etc.
Page 82
ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION AUTH SERVER Local User Use this screen to configure the local user account(s) on the Database ZyWALL. RADIUS Configure this screen to use an external server to authenticate wireless and/or VPN users.
ZyWALL 5/35/70 Series User’s Guide Table 7 Screens Summary (continued) LINK FUNCTION SYSTEM Reports Use this screen to have the ZyWALL record and display network REPORTS usage reports. THREAT Use this screen to collect and display statistics on the intrusions REPORTS that the ZyWALL has detected.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 8 HOME > Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port These are the ZyWALL’s interfaces. Status For the WAN and dial backup ports, this displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
ZyWALL 5/35/70 Series User’s Guide Figure 13 HOME > Show Statistics > Line Chart The following table describes the labels in this screen. Table 9 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding port(s).
ZyWALL 5/35/70 Series User’s Guide Figure 14 HOME > DHCP Table The following table describes the labels in this screen. Table 10 HOME > DHCP Table LABEL DESCRIPTION Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the specified interface.
ZyWALL 5/35/70 Series User’s Guide Figure 15 HOME > VPN Status The following table describes the labels in this screen. Table 11 HOME > VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 16 Home > Bandwidth Monitor The following table describes the labels in this screen. LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
ZyWALL 5/35/70 Series User’s Guide Figure 17 Wizard Setup Welcome 3.2 Internet Access The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
ZyWALL 5/35/70 Series User’s Guide Figure 18 ISP Parameters: Ethernet Encapsulation The following table describes the labels in this screen. Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
ZyWALL 5/35/70 Series User’s Guide Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION Back Click Back to return to the previous wizard screen. Apply Click Apply to save your changes and go to the next screen. 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
ZyWALL 5/35/70 Series User’s Guide Table 13 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again for confirmation.
ZyWALL 5/35/70 Series User’s Guide Note: The ZyWALL supports one PPTP server connection at any given time. Figure 20 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation...
ZyWALL 5/35/70 Series User’s Guide Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
ZyWALL 5/35/70 Series User’s Guide Figure 21 Internet Access Wizard: Second Screen Figure 22 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 21 on page 96), the following screen displays.
ZyWALL 5/35/70 Series User’s Guide Figure 23 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 15 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available.
ZyWALL 5/35/70 Series User’s Guide Figure 24 Internet Access Wizard: Registration in Progress Click Close to leave the wizard screen when the registration and activation are done. Figure 25 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.
ZyWALL 5/35/70 Series User’s Guide Figure 26 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. Figure 27 Internet Access Wizard: Registered Device Figure 28 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting...
ZyWALL 5/35/70 Series User’s Guide Click VPN SETUP in the Wizard Setup Welcome screen (Figure 17 on page 90) to open the VPN configuration wizard. The first screen displays as shown next. Figure 29 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION...
ZyWALL 5/35/70 Series User’s Guide Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION Remote Enter the WAN IP address or domain name of the remote IPSec router (secure Gateway gateway) in the field below to identify the remote IPSec router by its IP address or a Address domain name.
ZyWALL 5/35/70 Series User’s Guide Figure 30 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 5/35/70 Series User’s Guide Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Remote Remote IP addresses must be static and correspond to the remote IPSec router's Network configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 18 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
ZyWALL 5/35/70 Series User’s Guide Figure 32 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 19 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
ZyWALL 5/35/70 Series User’s Guide Table 19 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Perfect Forward Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec Secret (PFS) SA setup. This allows faster IPSec setup, but is not so secure. Select DH1 or DH2 to enable PFS.
ZyWALL 5/35/70 Series User’s Guide Figure 33 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 20 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 108
ZyWALL 5/35/70 Series User’s Guide Table 20 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A.
ZyWALL 5/35/70 Series User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 34 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Tutorial This chapter describes how to apply security settings to VPN traffic. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall, IDP, anti-virus, anti-spam and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
ZyWALL 5/35/70 Series User’s Guide Figure 35 IDP for From VPN Traffic Here is how you would configure this example. 1 Click SECURITY > IDP > General. 2 Select the To LAN column’s first check box (with the interface label) to select all of the To LAN packet directions.
ZyWALL 5/35/70 Series User’s Guide 4.1.2 IDP for To VPN Traffic Example You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL’s VPN tunnels.
ZyWALL 5/35/70 Series User’s Guide Figure 38 IDP Configuration for To VPN Traffic 4.2 Firewall Rule for VPN Example The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets. Take the following example.
ZyWALL 5/35/70 Series User’s Guide Figure 39 Firewall Rule for VPN 4.2.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
ZyWALL 5/35/70 Series User’s Guide Figure 42 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
ZyWALL 5/35/70 Series User’s Guide Figure 43 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.2.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
ZyWALL 5/35/70 Series User’s Guide 4.2.2.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 44 SECURITY >...
ZyWALL 5/35/70 Series User’s Guide Figure 45 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. Chapter 4 Tutorial...
ZyWALL 5/35/70 Series User’s Guide Figure 46 SECURITY > FIREWALL > Rule Summary: Allow 4.2.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server.
Page 122
ZyWALL 5/35/70 Series User’s Guide Chapter 4 Tutorial...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com.
ZyWALL 5/35/70 Series User’s Guide You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. You can also check for new signature or virus updates at http://mysecurity.zyxel.com. See the chapters about content filtering, anti-virus, anti-spam and IDP for more information. Note: To update the signature file or use a subscription service, you have to register and activate the corresponding service at myZyXEL.com (through the ZyWALL).
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 21 REGISTRATION LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 49 REGISTRATION: Registered Device 5.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’s PIN number (license key). Click REGISTRATION > Service to open the screen as shown next.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 22 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 128
ZyWALL 5/35/70 Series User’s Guide Chapter 5 Registration...
ZyWALL 5/35/70 Series User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5 and ZyWALL 35.
ZyWALL 5/35/70 Series User’s Guide Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
ZyWALL 5/35/70 Series User’s Guide 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
ZyWALL 5/35/70 Series User’s Guide IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
ZyWALL 5/35/70 Series User’s Guide Figure 52 NETWORK > LAN The following table describes the labels in this screen. Table 23 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 134
ZyWALL 5/35/70 Series User’s Guide Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN port 2 and LAN and WAN2 from WAN port 2 to the LAN. If your firewall is enabled with the default policy set to block WAN port 2 to LAN traffic, you also need to enable the default WAN port 2 to LAN firewall rule that forwards NetBIOS traffic.
ZyWALL 5/35/70 Series User’s Guide Figure 53 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 24 NETWORK > LAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN.
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
ZyWALL 5/35/70 Series User’s Guide Figure 55 NETWORK > LAN > IP Alias The following table describes the labels in this screen. Table 25 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide Table 25 NETWORK > LAN > IP Alias LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
ZyWALL 5/35/70 Series User’s Guide Figure 56 NETWORK > LAN > Port Roles The following table describes the labels in this screen. Table 26 NETWORK > LAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
ZyWALL 5/35/70 Series User’s Guide STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge.
ZyWALL 5/35/70 Series User’s Guide Figure 59 NETWORK > Bridge The following table describes the labels in this screen. Table 29 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
ZyWALL 5/35/70 Series User’s Guide Table 29 NETWORK > Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port.
ZyWALL 5/35/70 Series User’s Guide Figure 60 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 30 NETWORK > Bridge > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. Select a port’s DMZ radio button to use the port as part of the DMZ.
ZyWALL 5/35/70 Series User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. Multiple WAN and load balancing are not available on the ZyWALL 5. 8.1 WAN Overview • Use the WAN General screen to configure load balancing, route priority and traffic redirect properties for the ZyWALL 70 and ZyWALL 35.
ZyWALL 5/35/70 Series User’s Guide You can select through which WAN port you want to send out traffic from UPnP-enabled applications (see Chapter 27 on page 475). The ZyWALL's DDNS lets you select which WAN interface you want to use for each individual domain name.
ZyWALL 5/35/70 Series User’s Guide 8.4.1.1 Example 1 The following figure depicts an example where both the WAN ports on the ZyWALL are connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively. Figure 62 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load...
ZyWALL 5/35/70 Series User’s Guide 8.4.2 Weighted Round Robin Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.
ZyWALL 5/35/70 Series User’s Guide Figure 64 Spillover Algorithm Example 8.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 33 NETWORK > WAN (General) LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN port as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN port (depending on the priorities you configure in the Route Priority fields).
Page 154
ZyWALL 5/35/70 Series User’s Guide Table 33 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity port's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN port's default gateway IP address.
ZyWALL 5/35/70 Series User’s Guide 8.7 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel. The WAN General screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyWALL. The WAN General screen varies depending on what you select in the Load Balancing Algorithm field.
ZyWALL 5/35/70 Series User’s Guide Table 34 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Available This field is applicable when you select Outbound + Inbound or Inbound Only in Inbound the Load Balancing Index(es) field. Bandwidth Specify the inbound (or downstream) bandwidth (in kilo bites per second) for the interface.
ZyWALL 5/35/70 Series User’s Guide 8.7.3 Spillover To load balance using the spillover method, select Spillover in the Load Balancing Algorithm field. Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN1 is the primary WAN and WAN2 is the secondary WAN.
ZyWALL 5/35/70 Series User’s Guide Figure 69 NETWORK > WAN (Route) The following table describes the labels in this screen. Table 37 NETWORK > WAN (Route) LABEL DESCRIPTION Route Priority The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
ZyWALL 5/35/70 Series User’s Guide Table 37 NETWORK > WAN (Route) (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to the WAN and WAN and WLAN from the WAN to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the WAN and from the WAN to the WLAN.
ZyWALL 5/35/70 Series User’s Guide 1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. 2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
ZyWALL 5/35/70 Series User’s Guide Figure 70 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 162
ZyWALL 5/35/70 Series User’s Guide Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login.
ZyWALL 5/35/70 Series User’s Guide Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
ZyWALL 5/35/70 Series User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
ZyWALL 5/35/70 Series User’s Guide Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
ZyWALL 5/35/70 Series User’s Guide PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. Figure 72 NETWORK > WAN > WAN (PPTP Encapsulation) Chapter 8 WAN Screens...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 169
ZyWALL 5/35/70 Series User’s Guide Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Enable NAT Network Address Translation (NAT) allows the translation of an Internet protocol (Network Address address used within one network (for example a private IP address used in a local Translation) network) to a different IP address known within another network (for example a public IP address used on the Internet).
ZyWALL 5/35/70 Series User’s Guide 8.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. Figure 73 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
ZyWALL 5/35/70 Series User’s Guide Figure 75 NETWORK > WAN > Traffic Redirect The following table describes the labels in this screen. Table 43 NETWORK > WAN > Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 44 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 174
ZyWALL 5/35/70 Series User’s Guide Table 44 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
ZyWALL 5/35/70 Series User’s Guide Table 44 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.16 Advanced Modem Setup 8.16.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
ZyWALL 5/35/70 Series User’s Guide Figure 77 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. Table 45 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call.
Page 177
ZyWALL 5/35/70 Series User’s Guide Table 45 NETWORK > WAN > Dial Backup > Edit (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 178
ZyWALL 5/35/70 Series User’s Guide Chapter 8 WAN Screens...
ZyWALL 5/35/70 Series User’s Guide H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
ZyWALL 5/35/70 Series User’s Guide Figure 78 NETWORK > DMZ The following table describes the labels in this screen. Table 46 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 181
ZyWALL 5/35/70 Series User’s Guide Table 46 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP- 1 is universally supported but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide Table 46 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between DMZ Select this check box to forward NetBIOS packets from the DMZ to WAN port 2 and WAN 2 and from WAN port 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN port 2 and from WAN port 2 to the DMZ.
ZyWALL 5/35/70 Series User’s Guide Figure 79 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 47 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
ZyWALL 5/35/70 Series User’s Guide Table 48 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 81 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
ZyWALL 5/35/70 Series User’s Guide Figure 82 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
ZyWALL 5/35/70 Series User’s Guide Figure 83 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 49 NETWORK > DMZ > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
ZyWALL 5/35/70 Series User’s Guide Click NETWORK, > WLAN to open the WLAN screen to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. Figure 84 NETWORK > WLAN The following table describes the labels in this screen. Table 50 NETWORK >...
Page 191
ZyWALL 5/35/70 Series User’s Guide Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN port 2 WLAN and WAN and from WAN port 2 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN port 2 and from WAN port 2 to the WLAN.
ZyWALL 5/35/70 Series User’s Guide Figure 85 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 51 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN.
ZyWALL 5/35/70 Series User’s Guide The ZyWALL has a single WLAN interface. Even though more than one of ports 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
ZyWALL 5/35/70 Series User’s Guide Table 52 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
ZyWALL 5/35/70 Series User’s Guide Figure 87 WLAN Port Role Example Note: Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 53 NETWORK > WLAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
ZyWALL 5/35/70 Series User’s Guide Figure 90 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator.
ZyWALL 5/35/70 Series User’s Guide 10.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association). 10.6.4 Hide ZyWALL Identity If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs.
ZyWALL 5/35/70 Series User’s Guide 10.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.
ZyWALL 5/35/70 Series User’s Guide Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know.
ZyWALL 5/35/70 Series User’s Guide 10.10 Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.
ZyWALL 5/35/70 Series User’s Guide Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
ZyWALL 5/35/70 Series User’s Guide Figure 92 WPA-PSK Authentication 10.13 Introduction to RADIUS The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users. RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server.
ZyWALL 5/35/70 Series User’s Guide Figure 93 WPA with RADIUS Application Example 10.15 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
ZyWALL 5/35/70 Series User’s Guide Figure 94 NETWORK > WIRELESS CARD: No Security The following table describes the labels in this screen. Table 55 NETWORK > WIRELESS CARD: No Security LABEL DESCRIPTION Enable The wireless LAN through a wireless LAN card is turned off by default, before you Wireless Card enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security;...
ZyWALL 5/35/70 Series User’s Guide Table 55 NETWORK > WIRELESS CARD: No Security (continued) LABEL DESCRIPTION Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed Threshold messages. It is the maximum data fragment size that can be sent. Select the check box to change the default value and enter a value between 256 and 2432.
ZyWALL 5/35/70 Series User’s Guide Figure 95 NETWORK > WIRELESS CARD: Static WEP The following table describes the wireless LAN security labels in this screen. Table 56 NETWORK > WIRELESS CARD: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized Encryption wireless stations from accessing data transmitted over the wireless network.
ZyWALL 5/35/70 Series User’s Guide Figure 96 NETWORK > WIRELESS CARD: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box. Table 57 NETWORK > WIRELESS CARD: WPA-PSK LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide Table 57 NETWORK > WIRELESS CARD: WPA-PSK (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 10.16.3 WPA Click NETWORK > WIRELESS CARD to display the Wireless Card screen. Select WPA from the Security list.
ZyWALL 5/35/70 Series User’s Guide Table 58 NETWORK > WIRELESS CARD: WPA (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless (Seconds) network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 59 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select 802.1x + Dynamic WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
ZyWALL 5/35/70 Series User’s Guide Figure 99 NETWORK > WIRELESS CARD: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box. Table 60 NETWORK > WIRELESS CARD: 802.1x + Static WEP LABEL DESCRIPTION Security...
ZyWALL 5/35/70 Series User’s Guide Table 60 NETWORK > WIRELESS CARD: 802.1x + Static WEP (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless network (Seconds) after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 61 NETWORK > WIRELESS CARD: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
ZyWALL 5/35/70 Series User’s Guide Figure 101 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 62 NETWORK >...
ZyWALL 5/35/70 Series User’s Guide 10.17 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 218
ZyWALL 5/35/70 Series User’s Guide Table 63 NETWORK > WIRELESS CARD: MAC Address Filter LABEL DESCRIPTION User Name Enter a descriptive name for the MAC address. Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that Address are allowed or denied access to the ZyWALL in these address fields. Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks.
ZyWALL 5/35/70 Series User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
ZyWALL 5/35/70 Series User’s Guide To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown. Figure 105 Default Block Traffic From WAN1 to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
ZyWALL 5/35/70 Series User’s Guide By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: •...
ZyWALL 5/35/70 Series User’s Guide Figure 106 From LAN to VPN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 107 Block LAN to VPN Traffic by Default Example Chapter 11 Firewall...
ZyWALL 5/35/70 Series User’s Guide 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to”...
ZyWALL 5/35/70 Series User’s Guide Figure 109 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 18.16 on page 359 for details).
ZyWALL 5/35/70 Series User’s Guide Figure 110 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 111 Block VPN to VPN Traffic by Default Example 11.4 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network.
ZyWALL 5/35/70 Series User’s Guide Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3 Does a rule that allows Internet users access to resources on the LAN create a security...
ZyWALL 5/35/70 Series User’s Guide • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from the LAN, it checks it against the first rule.
ZyWALL 5/35/70 Series User’s Guide • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules.
ZyWALL 5/35/70 Series User’s Guide Figure 114 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 115 SECURITY >...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 66 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
ZyWALL 5/35/70 Series User’s Guide Table 66 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.8 Firewall Default Rule (Bridge Mode) Click SECURITY >...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 67 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
ZyWALL 5/35/70 Series User’s Guide Table 67 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Log Broadcast Select this to create a log for any broadcast frames traveling in the selected Frame direction. Many of these logs in a short time period could indicate a broadcast storm. A broadcast storm occurs when a packet triggers multiple responses from all hosts on a network or when computers attempt to respond to a host that never replies.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 68 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION Firewall Rules This bar displays the percentage of the ZyWALL’s firewall rules storage space that is Storage Space currently in use.
ZyWALL 5/35/70 Series User’s Guide 11.9.1 Firewall Edit Rule Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule.
ZyWALL 5/35/70 Series User’s Guide Table 69 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 70 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests.
ZyWALL 5/35/70 Series User’s Guide 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds.
ZyWALL 5/35/70 Series User’s Guide Table 71 SECURITY > FIREWALL > Threshold (continued) LABEL DESCRIPTION Action taken when Select the action that ZyWALL should take when the TCP maximum incomplete TCP Maximum threshold is reached. You can have the ZyWALL either: Incomplete reached threshold Delete the oldest half open session when a new connection request comes.
ZyWALL 5/35/70 Series User’s Guide Figure 122 SECURITY > FIREWALL > Service The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. This is the index number of the custom service. Service Name This is the name of the service.
ZyWALL 5/35/70 Series User’s Guide Table 72 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined This table shows all the services that are already configured for use in firewall Service...
ZyWALL 5/35/70 Series User’s Guide Table 73 SECURITY > FIREWALL > Service > Add (continued) LABEL DESCRIPTION Port Range Enter the port number (from 1 to 255) that defines the customized service To specify one port only, enter the port number in the From field and enter it again in the To field.
ZyWALL 5/35/70 Series User’s Guide Figure 125 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
ZyWALL 5/35/70 Series User’s Guide Figure 127 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
ZyWALL 5/35/70 Series User’s Guide Figure 128 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Chapter 11 Firewall...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Intrusion Detection and Prevention (IDP) This chapter introduces some background information on IDP. Skip to the next chapter to see how to configure IDP on your ZyWALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
ZyWALL 5/35/70 Series User’s Guide Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are launched from within an organization. Virtual private networks (VPN), removable storage devices and wireless networks may all provide access to the internal network without going through the firewall.
ZyWALL 5/35/70 Series User’s Guide 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
ZyWALL 5/35/70 Series User’s Guide 12.1.5.4 MyDoom MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Configuring IDP This chapter shows you how to configure IDP on the ZyWALL. 13.1 Overview To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 13.2 General Setup Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Click SECURITY > IDP from the navigation panel. General is the first screen as shown in the following figure.
ZyWALL 5/35/70 Series User’s Guide Table 74 SECURITY > IDP > General Setup LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
ZyWALL 5/35/70 Series User’s Guide Figure 133 SECURITY > IDP > Signatures: Attack Types The following table describes each attack type. Table 75 SECURITY > IDP > Signature: Attack Types TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.
ZyWALL 5/35/70 Series User’s Guide Table 75 SECURITY > IDP > Signature: Attack Types (continued) TYPE DESCRIPTION Virus/Worm A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network.
ZyWALL 5/35/70 Series User’s Guide Figure 134 SECURITY > IDP > Signature: Actions The following table describes signature actions. Table 77 SECURITY > IDP > Signature: Actions ACTION DESCRIPTION No Action The intrusion is detected but no action is taken. Drop Packet The packet is silently discarded.
ZyWALL 5/35/70 Series User’s Guide Figure 135 SECURITY > IDP > Signature: Group View The following table describes the labels in this screen. Table 78 SECURITY > IDP > Signature: Group View LABEL DESCRIPTION Signature Groups Switch to Click this hyperlink to go to a screen where you can search for signatures based on query view criteria other than attack type.
ZyWALL 5/35/70 Series User’s Guide Table 78 SECURITY > IDP > Signature: Group View (continued) LABEL DESCRIPTION Select this check box to have a log generated when a match is found for a signature. Select the check box in the heading row to automatically select all check boxes or clear it to clear all entries on the current page.
ZyWALL 5/35/70 Series User’s Guide Figure 136 SECURITY > IDP > Signature: Query View The following table describes the fields in this screen. Table 79 SECURITY > IDP > Signature: Query View LABEL DESCRIPTION Back to group Click this button to go to the IDP group view screen where IDP signatures are view grouped by attack type.
Page 264
ZyWALL 5/35/70 Series User’s Guide Table 79 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
ZyWALL 5/35/70 Series User’s Guide Table 79 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 13.3.5.1 Query Example 1 1 From the “group view”...
ZyWALL 5/35/70 Series User’s Guide Figure 139 Signature Query by Attribute. 13.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
ZyWALL 5/35/70 Series User’s Guide 13.4.2 Configuring IDP Update When scheduling signature updates, you should choose a day and time when your network is least busy so as to minimize disruption to your network. Your custom signature configurations are not over-written when you download new signatures. File-based anti-virus signatures (see the anti-virus chapter) are included with IDP signatures.
ZyWALL 5/35/70 Series User’s Guide Table 80 SECURITY > IDP > Update (continued) LABEL DESCRIPTION Release Date This field displays the time (hour, minutes second) and date (month, date, year) that the above signature set was created. Last Update This field displays the last date and time you downloaded new signatures to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 141 SECURITY > IDP > Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup and then choose a location and filename for the IDP configuration set. •...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 14.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs.
ZyWALL 5/35/70 Series User’s Guide 2 The virus spreads to other files and programs on the computer. 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially.
ZyWALL 5/35/70 Series User’s Guide 14.2.1 How the ZyWALL Anti-Virus Scanner Works The ZyWALL checks traffic going to the interface(s) you specify for signature matches. Figure 142 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard ports.
ZyWALL 5/35/70 Series User’s Guide Note: The ZyWALL Turbo Card does not have a MAC address. The following lists important notes about the anti-virus scanner: 1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses. 2 When a virus is detected, an alert message is displayed in Microsoft Windows computers.
ZyWALL 5/35/70 Series User’s Guide Figure 143 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. Table 82 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti-Virus Select this check box to check traffic for viruses. The anti-virus scanner works on the following.
ZyWALL 5/35/70 Series User’s Guide Table 82 SECURITY > ANTI-VIRUS > General (continued) LABEL DESCRIPTION Available Service Service This field displays the service names and standard port numbers that identify them. Select a service to display and configure anti-virus settings for it. Active Select Active to enable the anti-virus scanner for the selected service.
ZyWALL 5/35/70 Series User’s Guide Figure 144 SECURITY > ANTI-VIRUS > Signature: Query View The following table describes the labels in this screen. Table 83 SECURITY > ANTI-VIRUS > Signature: Query View LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Signature Search Select this radio button if you would like to search the signatures by name or ID.
ZyWALL 5/35/70 Series User’s Guide Table 83 SECURITY > ANTI-VIRUS > Signature: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display in the table at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
ZyWALL 5/35/70 Series User’s Guide 14.5 Signature Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. Note: You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel.com/myzyxel/) and also have either activated the trial license or standard license (iCard).
ZyWALL 5/35/70 Series User’s Guide Figure 147 SECURITY > ANTI-VIRUS > Update The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Pattern This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them.
ZyWALL 5/35/70 Series User’s Guide LABEL DESCRIPTION Update Now Click this button to begin downloading signatures from the Update Server immediately. Auto Update Select the check box to configure a schedule for automatic signature updates. The Hourly, Daily and Weekly fields display when the check box is selected. The ZyWALL then automatically downloads signatures from the Update Server regularly at the time and/or day you specify.
Page 284
ZyWALL 5/35/70 Series User’s Guide Use the Backup & Restore screen to: • Back up anti-virus signatures with your custom configured settings to a computer. Click Backup and then choose a location and filename for the anti-virus configuration set. • Restore previously saved anti-virus signatures (with your custom configured settings). Click Restore and choose the path and location where the previously saved file resides on your computer.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Anti-Spam This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-Spam Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam.
ZyWALL 5/35/70 Series User’s Guide 15.1.1.1 SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs.
ZyWALL 5/35/70 Series User’s Guide 15.1.1.4 SpamTricks Engine The SpamTricks engine checks for the tactics that spammers use to minimize the expense of sending lots of e-mail and tactics that they use to bypass spam filters. Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks.
ZyWALL 5/35/70 Series User’s Guide The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analysis to detect phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate (see...
ZyWALL 5/35/70 Series User’s Guide 15.1.7 MIME Headers MIME (Multipurpose Internet Mail Extensions) allows varied media types to be used in e- mail. MIME headers describe an e-mail’s content encoding and type. For example, it may show which program generated the e-mail and what type of text is used in the e-mail body. Here are some examples of MIME headers: •...
ZyWALL 5/35/70 Series User’s Guide Figure 150 SECURITY > ANTI-SPAM > General The following table describes the labels in this screen. Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION General Setup Enable Anti-Spam Select this check box to check traffic for spam SMTP (TCP port 25 and POP3 (TCP port 110) e-mail.
Page 291
ZyWALL 5/35/70 Series User’s Guide Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
ZyWALL 5/35/70 Series User’s Guide Table 84 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION Action taken when mail The anti-spam feature limits the number of concurrent e-mail sessions. An e- sessions threshold is mail session is when an e-mail client and e-mail server (or two e-mail reached servers) connect through the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 85 SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Enable the anti-spam external database feature to have the ZyWALL calculate Database a digest of an e-mail and send it to an anti-spam external database.
ZyWALL 5/35/70 Series User’s Guide Table 85 SECURITY > ANTI-SPAM > External DB (continued) LABEL DESCRIPTION External Database This read-only field displays the status of your anti-spam external database Service Status service registration and activation. License Inactive displays if you have not successfully registered and activated the anti-spam external database service.
ZyWALL 5/35/70 Series User’s Guide Figure 152 SECURITY > ANTI-SPAM > Lists The following table describes the labels in this screen. Table 86 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist This bar displays the percentage of the ZyWALL’s anti-spam whitelist and Storage Space in blacklist storage space that is currently in use.
ZyWALL 5/35/70 Series User’s Guide Table 86 SECURITY > ANTI-SPAM > Lists (continued) LABEL DESCRIPTION Insert Type the index number where you want to put an entry. For example, if you type 6, your new entry becomes number 6 and the previous entry 6 (if there is one) becomes entry 7.
ZyWALL 5/35/70 Series User’s Guide Figure 153 SECURITY > ANTI-SPAM > Lists > Edit The following table describes the labels in this screen. Table 87 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
Page 298
ZyWALL 5/35/70 Series User’s Guide Table 87 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION E-Mail Address This field displays when you select the E-Mail type. Enter an e-mail address or domain name (up to 63 ASCII characters). You can enter an individual e-mail address like abc@def.com. If you enter a domain name, the ZyWALL searches the source e-mail address string after the “@”...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 16.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites.
ZyWALL 5/35/70 Series User’s Guide Figure 154 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Page 301
ZyWALL 5/35/70 Series User’s Guide Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Block ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
ZyWALL 5/35/70 Series User’s Guide Table 88 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
ZyWALL 5/35/70 Series User’s Guide 16.4 Content Filter Categories Click SECURITY, >CONTENT FILTER > Categories to display the CONTENT FILTER Categories screen. Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it.
ZyWALL 5/35/70 Series User’s Guide Figure 156 SECURITY > CONTENT FILTER > Categories The following table describes the labels in this screen. Table 89 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 305
ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 306
ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 307
ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 308
ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 309
ZyWALL 5/35/70 Series User’s Guide Table 89 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
ZyWALL 5/35/70 Series User’s Guide 16.5 Content Filter Customization Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 90 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
ZyWALL 5/35/70 Series User’s Guide Table 90 SECURITY > CONTENT FILTER > Customization (continued) LABEL DESCRIPTION Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list.
ZyWALL 5/35/70 Series User’s Guide Use the command ip urlfilter customize actionFlags 8 [disable | enable] to extend (or not extend) the keyword blocking search to include the URL's complete filename. 16.7 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 91 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 123 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
ZyWALL 5/35/70 Series User’s Guide Figure 159 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 161 on page 317).
ZyWALL 5/35/70 Series User’s Guide Figure 161 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 161 on page 317). Type your myZyXEL.com account password in the Password field.
ZyWALL 5/35/70 Series User’s Guide Figure 163 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 164 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
ZyWALL 5/35/70 Series User’s Guide Figure 165 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Chapter 17 Content Filtering Reports...
ZyWALL 5/35/70 Series User’s Guide Figure 166 Requested URLs Example 17.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
ZyWALL 5/35/70 Series User’s Guide Figure 167 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. Chapter 17 Content Filtering Reports...
ZyWALL 5/35/70 Series User’s Guide H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
ZyWALL 5/35/70 Series User’s Guide You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
ZyWALL 5/35/70 Series User’s Guide Figure 172 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 92 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
ZyWALL 5/35/70 Series User’s Guide Table 92 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Remote This is the remote network behind the remote IPsec router. Network Click this icon to display a screen in which you can associate a network policy to a gateway policy.
ZyWALL 5/35/70 Series User’s Guide See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 18.3.1.1 on page 328 for more information about DH key groups. 18.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
ZyWALL 5/35/70 Series User’s Guide Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.
ZyWALL 5/35/70 Series User’s Guide • The local ID type and ID content come from the certificate. On the ZyWALL, you simply select which certificate to use. • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up.
ZyWALL 5/35/70 Series User’s Guide Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and sends its (unencrypted) identity to the ZyWALL for authentication. Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established.
ZyWALL 5/35/70 Series User’s Guide 18.4 Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. 18.4.1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: •...
ZyWALL 5/35/70 Series User’s Guide Figure 177 IPSec High Availability When setting up a IPSec high availability VPN tunnel, the remote IPSec router: • Must have multiple WAN connections • Only needs the configure one corresponding IPSec rule • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections •...
ZyWALL 5/35/70 Series User’s Guide 18.5 VPN Rules (IKE) Gateway Policy Edit In the VPN Rule (IKE) screen, click the add gateway policy ( ) icon or the edit ( ) icon to display the VPN-Gateway Policy -Edit screen. Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 337
ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote gateway Primary Remote if the connection becomes available again.
Page 338
ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 339
ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 20 on page...
ZyWALL 5/35/70 Series User’s Guide Table 95 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Enable Multiple Select this to allow the ZyWALL to use any of its phase 1 key groups and Proposals encryption and authentication algorithms when negotiating an IKE SA.
ZyWALL 5/35/70 Series User’s Guide Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 18.6.0.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure.
ZyWALL 5/35/70 Series User’s Guide If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 345
ZyWALL 5/35/70 Series User’s Guide Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 96 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES - a 128-bit key with the AES encryption algorithm...
ZyWALL 5/35/70 Series User’s Guide • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel. • The network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide 18.9 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.
ZyWALL 5/35/70 Series User’s Guide Figure 182 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 98 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
ZyWALL 5/35/70 Series User’s Guide Table 98 SECURITY > VPN > VPN Rules (Manual) (continued) LABEL DESCRIPTION Modify Click the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule.
ZyWALL 5/35/70 Series User’s Guide Figure 183 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen. Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy.
Page 352
ZyWALL 5/35/70 Series User’s Guide Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
ZyWALL 5/35/70 Series User’s Guide Table 99 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec Addr router with which you're making the VPN connection. Manual Proposal Type a unique SPI (Security Parameter Index) from one to four characters long.
ZyWALL 5/35/70 Series User’s Guide Figure 184 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 100 SECURITY > VPN > SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy.
ZyWALL 5/35/70 Series User’s Guide Figure 185 SECURITY > VPN > Global Setting The following table describes the labels in this screen. Table 101 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
ZyWALL 5/35/70 Series User’s Guide Table 101 SECURITY > VPN > Global Setting (continued) LABEL DESCRIPTION VPN rules skip applying When you configure a VPN rule, the ZyWALL checks to make sure that the IP to the overlap range of addresses in the local and remote networks do not overlap.
ZyWALL 5/35/70 Series User’s Guide Table 102 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Remote Gateway Public static IP address 0.0.0.0 With this IP address only Address: the telecommuter can initiate the IPSec tunnel.
ZyWALL 5/35/70 Series User’s Guide Table 103 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com...
ZyWALL 5/35/70 Series User’s Guide In the following example, the VPN rule’s local network (A) includes the ZyWALL’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface.
ZyWALL 5/35/70 Series User’s Guide You should not use a hub-and-spoke VPN in every situation, however. The hub router is a single point of failure, so a hub-and-spoke VPN may not be appropriate if the connection between the spoke routers cannot be down occasionally (for maintenance, for example). In addition, there is a significant burden on the hub router.
ZyWALL 5/35/70 Series User’s Guide • Remote IP address:192.168.167.0/255.255.255.0 Rule 2: • Remote Gateway: 10.0.0.3 • Local IP address: 192.168.167.0~192.168.168.255 • Remote IP address: 192.168.169.0/255.255.255.0 Branch Office B: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.169.0/255.255.255.0 • Remote IP address: 192.168.167.0~192.168.168.255 18.16.3 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 19.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
ZyWALL 5/35/70 Series User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
ZyWALL 5/35/70 Series User’s Guide Figure 192 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
ZyWALL 5/35/70 Series User’s Guide Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). 19.5 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen.
Page 367
ZyWALL 5/35/70 Series User’s Guide Table 104 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate.
ZyWALL 5/35/70 Series User’s Guide 19.6 My Certificate Details Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 194 on page 366). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 105 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate.
ZyWALL 5/35/70 Series User’s Guide Table 105 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
ZyWALL 5/35/70 Series User’s Guide Figure 196 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 106 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in Binary X.509 is an ITU-T recommendation that defines the formats for X.509 binary X.509 format.
ZyWALL 5/35/70 Series User’s Guide Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen. One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key.
ZyWALL 5/35/70 Series User’s Guide Figure 197 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 107 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 108 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 LABEL DESCRIPTION Password Type the file’s password that was created when the PKCS #12 file was exported. Apply Click Apply to save the certificate on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 109 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate.
ZyWALL 5/35/70 Series User’s Guide Table 109 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.
ZyWALL 5/35/70 Series User’s Guide Figure 200 SECURITY > CERTIFICATES > Trusted CAs The following table describes the labels in this screen. Table 110 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
ZyWALL 5/35/70 Series User’s Guide Table 110 SECURITY > CERTIFICATES > Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen.
ZyWALL 5/35/70 Series User’s Guide Figure 201 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 380
ZyWALL 5/35/70 Series User’s Guide Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
ZyWALL 5/35/70 Series User’s Guide Table 111 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
ZyWALL 5/35/70 Series User’s Guide Figure 202 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 112 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
ZyWALL 5/35/70 Series User’s Guide Figure 203 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 113 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
ZyWALL 5/35/70 Series User’s Guide Table 113 SECURITY > CERTIFICATES > Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
ZyWALL 5/35/70 Series User’s Guide Figure 205 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details The following table describes the labels in this screen. Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 387
ZyWALL 5/35/70 Series User’s Guide Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate.
ZyWALL 5/35/70 Series User’s Guide Table 115 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 116 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 117 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 20.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 118 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 119 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 21.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
ZyWALL 5/35/70 Series User’s Guide 21.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
ZyWALL 5/35/70 Series User’s Guide 21.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 211 NAT Application With IP Alias Chapter 21 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide 21.1.5 Port Restricted Cone NAT ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network.
ZyWALL 5/35/70 Series User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
ZyWALL 5/35/70 Series User’s Guide 21.3 NAT Overview Screen Click ADVANCED > NAT to open the NAT Overview screen. Not all fields are available on all models. Figure 213 ADVANCED > NAT > NAT Overview The following table describes the labels in this screen. Table 122 ADVANCED >...
ZyWALL 5/35/70 Series User’s Guide Table 122 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN port. Clear this check box to turn off the NAT feature for the WAN port. Address Select SUA to have the ZyWALL use its permanent, pre-defined NAT address Mapping Rules...
ZyWALL 5/35/70 Series User’s Guide Figure 214 ADVANCED > NAT > Address Mapping The following table describes the labels in this screen. Table 123 ADVANCED > NAT > Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address...
ZyWALL 5/35/70 Series User’s Guide Table 123 ADVANCED > NAT > Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 124 ADVANCED > NAT > Address Mapping > Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address.
ZyWALL 5/35/70 Series User’s Guide 21.5.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
ZyWALL 5/35/70 Series User’s Guide Figure 216 Multiple Servers Behind NAT Example 21.5.4 NAT and Multiple WAN The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule sets for the first WAN port and separate sets of rules for the second WAN port. 21.5.5 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the...
ZyWALL 5/35/70 Series User’s Guide Figure 217 Port Translation Example 21.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Not all fields are available on all models. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
ZyWALL 5/35/70 Series User’s Guide Figure 218 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 126 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules. Default Server In addition to the servers for specified services, NAT supports a default server.
ZyWALL 5/35/70 Series User’s Guide Table 126 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 21.7 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
ZyWALL 5/35/70 Series User’s Guide 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 411
ZyWALL 5/35/70 Series User’s Guide Table 127 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION End Port Type a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 22.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
ZyWALL 5/35/70 Series User’s Guide Figure 222 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 128 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
ZyWALL 5/35/70 Series User’s Guide Table 128 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
Page 416
ZyWALL 5/35/70 Series User’s Guide Table 129 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 23.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
ZyWALL 5/35/70 Series User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 23.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown). Figure 224 ADVANCED >...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 130 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source Address/ This is the source IP address range and/or port number range.
ZyWALL 5/35/70 Series User’s Guide Figure 225 Edit IP Policy Route The following table describes the labels in this screen. Table 131 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 421
ZyWALL 5/35/70 Series User’s Guide Table 131 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Packet Length Type a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 24.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.
ZyWALL 5/35/70 Series User’s Guide 24.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 24.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
ZyWALL 5/35/70 Series User’s Guide 24.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 132 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A...
ZyWALL 5/35/70 Series User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
ZyWALL 5/35/70 Series User’s Guide 24.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets. Table 134 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS Root Class: 10240 kbps Administration: Priority 4, 1024 kbps...
ZyWALL 5/35/70 Series User’s Guide 24.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth.
ZyWALL 5/35/70 Series User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
ZyWALL 5/35/70 Series User’s Guide If you use VoIP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP. As a result, FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth.
ZyWALL 5/35/70 Series User’s Guide Table 138 ADVANCED > BW MGMT > Summary (continued) LABEL DESCRIPTION Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class (see Section 24.12 on page 431).
ZyWALL 5/35/70 Series User’s Guide Figure 228 ADVANCED > BW MGMT > Class Setup The following table describes the labels in this screen. Table 139 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming.
ZyWALL 5/35/70 Series User’s Guide Table 139 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Service This is the service that this bandwidth management class is configured to manage. Destination IP This is the destination IP address for connections to which this bandwidth Address management class applies.
ZyWALL 5/35/70 Series User’s Guide Figure 229 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20...
Page 435
ZyWALL 5/35/70 Series User’s Guide Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
ZyWALL 5/35/70 Series User’s Guide Table 140 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source End Address / If you are configuring a range of IP addresses, enter the ending IP address Subnet Mask here.
ZyWALL 5/35/70 Series User’s Guide Figure 230 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
ZyWALL 5/35/70 Series User’s Guide Figure 231 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Chapter 24 Bandwidth Management...
ZyWALL 5/35/70 Series User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 25.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
ZyWALL 5/35/70 Series User’s Guide 25.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
ZyWALL 5/35/70 Series User’s Guide Figure 232 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
ZyWALL 5/35/70 Series User’s Guide An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. Configure address records about the ZyWALL itself or another device to keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server.
ZyWALL 5/35/70 Series User’s Guide Figure 235 ADVANCED > DNS > Insert (Name Server Record) The following table describes the labels in this screen. LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
ZyWALL 5/35/70 Series User’s Guide 25.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
ZyWALL 5/35/70 Series User’s Guide Figure 237 ADVANCED > DNS > DHCP The following table describes the labels in this screen. LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address to the Assigned by DHCP DHCP clients.
ZyWALL 5/35/70 Series User’s Guide 25.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
ZyWALL 5/35/70 Series User’s Guide Figure 238 ADVANCED > DNS > DDNS The following table describes the labels in this screen. LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name.
Page 450
ZyWALL 5/35/70 Series User’s Guide LABEL DESCRIPTION IP Address Update Select Use WAN IP Address to have the ZyWALL update the domain name Policy with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 26.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
ZyWALL 5/35/70 Series User’s Guide 1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address.
ZyWALL 5/35/70 Series User’s Guide Figure 239 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 26.3 WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyWALL’s HTTP and HTTPS management settings.
ZyWALL 5/35/70 Series User’s Guide Figure 240 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 143 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
ZyWALL 5/35/70 Series User’s Guide Table 143 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
ZyWALL 5/35/70 Series User’s Guide 26.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
ZyWALL 5/35/70 Series User’s Guide 26.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
ZyWALL 5/35/70 Series User’s Guide Figure 244 Login Screen (Internet Explorer) Figure 245 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Chapter 26 Remote Management...
ZyWALL 5/35/70 Series User’s Guide Figure 246 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 247 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
ZyWALL 5/35/70 Series User’s Guide Figure 248 Common ZyWALL Certificate 26.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. Figure 249 SSH Communication Example 26.6 How SSH Works The following table summarizes how a secure connection is established between two remote...
ZyWALL 5/35/70 Series User’s Guide Figure 250 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
ZyWALL 5/35/70 Series User’s Guide 26.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 26.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings.
ZyWALL 5/35/70 Series User’s Guide 26.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 26.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
ZyWALL 5/35/70 Series User’s Guide Figure 253 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 255 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
ZyWALL 5/35/70 Series User’s Guide Figure 257 ADVANCED > REMOTE MGMT > Telnet The following table describes the labels in this screen. Table 145 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
ZyWALL 5/35/70 Series User’s Guide Figure 258 ADVANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. Table 146 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
ZyWALL 5/35/70 Series User’s Guide Figure 259 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
ZyWALL 5/35/70 Series User’s Guide 26.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 26.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 147 SNMP Traps...
ZyWALL 5/35/70 Series User’s Guide Figure 260 ADVANCED > REMOTE MGMT > SNMP The following table describes the labels in this screen. Table 148 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
ZyWALL 5/35/70 Series User’s Guide 26.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 147 for more information. Click ADVANCED > REMOTE MGMT > DNS to change your ZyWALL’s DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL’s DNS settings.
ZyWALL 5/35/70 Series User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator. 26.17 Configuring CNM Vantage CNM is disabled on the device by default.
Page 473
ZyWALL 5/35/70 Series User’s Guide Table 150 ADVANCED > REMOTE MGMT > CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
ZyWALL 5/35/70 Series User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 27.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
ZyWALL 5/35/70 Series User’s Guide When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration.
ZyWALL 5/35/70 Series User’s Guide Table 151 ADVANCED > UPnP LABEL DESCRIPTION Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration configure the ZyWALL so that they can communicate through the ZyWALL, changes through for example by using NAT traversal, UPnP applications automatically reserve UPnP a NAT forwarding port in order to communicate with another UPnP enabled...
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 152 ADVANCED > UPnP > Ports LABEL DESCRIPTION Reserve UPnP Select this check box to have the ZyWALL retain UPnP created NAT rules even NAT rules in flash after restarting.
ZyWALL 5/35/70 Series User’s Guide 27.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
ZyWALL 5/35/70 Series User’s Guide 27.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
ZyWALL 5/35/70 Series User’s Guide 27.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
ZyWALL 5/35/70 Series User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 483
ZyWALL 5/35/70 Series User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 484
ZyWALL 5/35/70 Series User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 27 UPnP...
ZyWALL 5/35/70 Series User’s Guide H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 28.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
ZyWALL 5/35/70 Series User’s Guide If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN port to have the connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure routing policies to specify the WAN port that the connection’s traffic is to use.
ZyWALL 5/35/70 Series User’s Guide Figure 265 H.323 ALG Example • With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ).
ZyWALL 5/35/70 Series User’s Guide Figure 267 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
ZyWALL 5/35/70 Series User’s Guide The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server (1). Figure 268 SIP ALG Example 28.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 269 ADVANCED > ALG The following table describes the labels in this screen. Table 153 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Reports This chapter contains information about the ZyWALL’s system and threat reports. 29.1 Configuring Reports The System Reports screens display statistics about the network usage of the LAN, DMZ or WLAN computers.
ZyWALL 5/35/70 Series User’s Guide Figure 270 REPORTS > SYSTEM REPORTS Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 154 REPORTS > SYSTEM REPORTS LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
ZyWALL 5/35/70 Series User’s Guide 29.2.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
ZyWALL 5/35/70 Series User’s Guide 29.2.2 Viewing Host IP Address In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
ZyWALL 5/35/70 Series User’s Guide 29.2.3 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. Figure 273 REPORTS >...
ZyWALL 5/35/70 Series User’s Guide 29.2.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 158 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 159 REPORTS > THREAT REPORTS > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 160 REPORTS > THREAT REPORTS > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-virus statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
ZyWALL 5/35/70 Series User’s Guide Figure 279 REPORTS > THREAT REPORTS > Anti-Virus > Destination 29.5 Anti-Spam Threat Reports Screen Click REPORTS > THREAT REPORTS > Anti-Spam to display the Threat Reports Anti-Spam screen. This screen displays anti-spam statistics. Figure 280 REPORTS > THREAT REPORTS > Anti-Spam The following table describes the labels in this screen.
Page 501
ZyWALL 5/35/70 Series User’s Guide Table 161 REPORTS > THREAT REPORTS > Anti-Spam (continued) LABEL DESCRIPTION Spam Mail This field displays the number of e-mails that the ZyWALL has classified as spam. Detected Phishing Mail This field displays the number of e-mails that the ZyWALL has classified as phishing. Detected No Score Mail This field displays the number of e-mails for which the ZyWALL did not receive a...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 30.3.1 on page 509 for example log message explanations. 30.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 162 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 30.3 on page 506) display in the drop-down list box. Select a category of logs to view;...
ZyWALL 5/35/70 Series User’s Guide Table 163 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
ZyWALL 5/35/70 Series User’s Guide Figure 285 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 164 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
ZyWALL 5/35/70 Series User’s Guide Table 164 LOGS > Log Settings (continued) LABEL DESCRIPTION Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field.
Page 510
ZyWALL 5/35/70 Series User’s Guide Table 165 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router got the time and date from the time server. Time initialized by Time server The router got the time and date from the NTP server. Time initialized by NTP server The router was not able to connect to the Daytime server.
ZyWALL 5/35/70 Series User’s Guide Table 166 System Error Logs LOG MESSAGE DESCRIPTION This attempt to create a NAT session exceeds the maximum %s exceeds the max. number of NAT session table entries allowed to be created per number of session per host.
ZyWALL 5/35/70 Series User’s Guide Table 167 Access Control Logs (continued) LOG MESSAGE DESCRIPTION The device blocked a session because the host's Exceed maximum sessions per host connections exceeded the maximum sessions per host. (%d). A packet from the WAN (TCP or UDP) matched a cone Firewall allowed a packet that NAT session and the device forwarded it to the LAN.
ZyWALL 5/35/70 Series User’s Guide Table 169 Packet Filter Logs LOG MESSAGE DESCRIPTION Attempted access matched a configured filter rule (denoted by [ TCP | UDP | ICMP | IGMP | its set and rule number) and was blocked or forwarded Generic ] packet filter according to the rule.
ZyWALL 5/35/70 Series User’s Guide Table 172 PPP Logs LOG MESSAGE DESCRIPTION The PPP connection’s Link Control Protocol stage has started. ppp:LCP Starting The PPP connection’s Link Control Protocol stage is opening. ppp:LCP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is ppp:CHAP Opening opening.
ZyWALL 5/35/70 Series User’s Guide Table 174 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION When the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site” check box, the system forwards the web content. The external content filtering server did not respond within the timeout Waiting content filter period.
ZyWALL 5/35/70 Series User’s Guide Table 175 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall classified an ICMP packet with no source routing entry ip spoofing - no routing as an IP spoofing attack. entry ICMP (type:%d, code:%d) The firewall detected an ICMP vulnerability attack. vulnerability ICMP (type:%d, code:%d) The firewall detected an ICMP traceroute attack.
ZyWALL 5/35/70 Series User’s Guide Table 176 Remote Management Logs LOG MESSAGE DESCRIPTION Attempted use of SNMP service was blocked according Remote Management: SNMP denied to remote management settings. Attempted use of DNS service was blocked according to Remote Management: DNS denied remote management settings.
ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs LOG MESSAGE DESCRIPTION The IKE process for a new connection failed because the limit Active connection allowed of simultaneous phase 2 SAs has been reached. exceeded Phase 2 Quick Mode has started. Start Phase 2: Quick Mode The connection failed during IKE phase 2 because the router Verifying Remote ID failed:...
Page 519
ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs (continued) LOG MESSAGE DESCRIPTION The security gateway is set to “0.0.0.0” and the router used Remote IP <Remote IP> / the peer’s “Local Address” as the router’s “Remote Address”. <Remote IP> conflicts This information conflicted with static rule #d;...
Page 520
ZyWALL 5/35/70 Series User’s Guide Table 179 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 authentication algorithm did not Rule [%d] Phase 2 match between the router and the peer. authentication algorithm mismatch The listed rule’s IKE phase 2 encapsulation did not match Rule [%d] Phase 2 between the router and the peer.
ZyWALL 5/35/70 Series User’s Guide Table 180 PKI Logs LOG MESSAGE DESCRIPTION The SCEP online certificate enrollment was successful. The Enrollment successful Destination field records the certification authority server IP address and port. The SCEP online certificate enrollment failed. The Destination field Enrollment failed records the certification authority server’s IP address and port.
ZyWALL 5/35/70 Series User’s Guide CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid. Certificate signature was not verified correctly.
ZyWALL 5/35/70 Series User’s Guide Table 181 802.1X Logs (continued) LOG MESSAGE DESCRIPTION A user was not authenticated by the local user database Local User Database does not because the user is not listed in the local user database. find user`s credential. A user was authenticated by the RADIUS Server.
ZyWALL 5/35/70 Series User’s Guide Table 182 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/ZW) LAN to LAN/ ACL set for packets traveling from the LAN to the LAN or ZyWALL the ZyWALL. (W to W/ZW) WAN to WAN/ ACL set for packets traveling from the WAN to the WAN ZyWALL or the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 183 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply...
ZyWALL 5/35/70 Series User’s Guide Table 184 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device updated the signature file successfully. The signature file’s Signature update OK version and release date are included. - New signature version: <Signature version> Release Date: <Release date>! The turbo card is not installed.
ZyWALL 5/35/70 Series User’s Guide Table 185 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not installed. The turbo card is not ready , please insert the card and reboot! The device is updating the signature file. The system is doing signature update now , please wait! Table 186 AS Logs...
Page 528
ZyWALL 5/35/70 Series User’s Guide Table 186 AS Logs (continued) LOG MESSAGE DESCRIPTION The listed server IP address has been removed from the list of anti- Remove rating server spam external database servers. [%Rating Server IP Address%] from server list! The spam score (listed) for the e-mail with the listed source and "This is a phishing mail subject was higher than the spam score threshold.
ZyWALL 5/35/70 Series User’s Guide 30.4 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
ZyWALL 5/35/70 Series User’s Guide Table 187 Syslog Logs (continued) LOG MESSAGE DESCRIPTION This message is sent by the device ("RAS" displays as the Event Log: <Facility*8 + system name if you haven’t configured one) at the time Severity>Mon dd hr:mm:ss when this syslog is generated.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 31.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 31.2 General Setup and System Name General Setup contains administrative and system-related information.
ZyWALL 5/35/70 Series User’s Guide Figure 287 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 189 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
ZyWALL 5/35/70 Series User’s Guide Figure 288 MAINTENANCE > Password The following table describes the labels in this screen. Table 190 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
ZyWALL 5/35/70 Series User’s Guide Figure 289 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 191 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 535
ZyWALL 5/35/70 Series User’s Guide Table 191 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. Time Protocol Select the time service protocol that your time server uses.
ZyWALL 5/35/70 Series User’s Guide 31.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
ZyWALL 5/35/70 Series User’s Guide Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 291 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.
ZyWALL 5/35/70 Series User’s Guide Table 192 MAC-address-to-port Mapping Table HOST MAC ADDRESS PORT 00a0c51234bc 00a0c51234de For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
ZyWALL 5/35/70 Series User’s Guide 31.8 Configuring Device Mode (Router) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall).
ZyWALL 5/35/70 Series User’s Guide Table 193 MAINTENANCE > Device Mode (Router Mode) (continued) LABEL DESCRIPTION Router When the ZyWALL is in router mode, there is no need to select or clear this radio button. IP Address Click LAN, WAN, DMZ or WLAN to go to the LAN, WAN, DMZ or WLAN screen where you can view and/or change the corresponding settings.
ZyWALL 5/35/70 Series User’s Guide You can use the firewall and VPN in bridge mode. Figure 294 MAINTENANCE > Device Mode (Bridge Mode) The following table describes the labels in this screen. Table 194 MAINTENANCE > Device Mode (Bridge Mode) LABEL DESCRIPTION Current Device...
ZyWALL 5/35/70 Series User’s Guide Table 194 MAINTENANCE > Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again.
ZyWALL 5/35/70 Series User’s Guide After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 296 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
ZyWALL 5/35/70 Series User’s Guide 31.11 Backup and Restore Section 47.5 on page 672 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 299 MAINTENANCE >...
ZyWALL 5/35/70 Series User’s Guide 31.11.2 Restore Configuration Load a configuration file from your computer to your ZyWALL. Table 196 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
ZyWALL 5/35/70 Series User’s Guide Figure 302 Configuration Upload Error 31.11.3 Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 32.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 5/35/70 Series User’s Guide Table 197 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move to a Press [SPACE Fields beginning with “Edit” lead to hidden menus and have a “hidden” BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes, menu to Yes then press and then press [ENTER] to go to a “hidden”...
ZyWALL 5/35/70 Series User’s Guide Figure 307 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
ZyWALL 5/35/70 Series User’s Guide Table 198 Main Menu Summary NO. MENU TITLE FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings. Internet Access Setup Configure your Internet access setup (Internet address, gateway, login, etc.) with this menu.
Page 554
ZyWALL 5/35/70 Series User’s Guide Table 199 SMT Menus Overview (continued) MENUS SUB MENUS 6 Route Setup (for the 6.1 Route Assessment ZyWALL 35 and the 6.2 Traffic Redirect ZyWALL 70) 6.3 Route Failover 7 Wireless Setup 7.1 Wireless Setup 7.1.1 WLAN MAC Address Filter 7.2 TCP/IP and DHCP...
ZyWALL 5/35/70 Series User’s Guide Table 199 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and 24.2.1 System Information Console Port Speed 24.2.2 Console Port Speed 24.3 Log and Trace 24.3.1 View Error Log 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic...
ZyWALL 5/35/70 Series User’s Guide Figure 309 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER].
ZyWALL 5/35/70 Series User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 33.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
ZyWALL 5/35/70 Series User’s Guide Table 200 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”...
ZyWALL 5/35/70 Series User’s Guide 33.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
ZyWALL 5/35/70 Series User’s Guide Figure 313 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 314 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A...
Page 562
ZyWALL 5/35/70 Series User’s Guide Table 204 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
ZyWALL 5/35/70 Series User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 34.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this screen. Table 205 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
ZyWALL 5/35/70 Series User’s Guide Figure 316 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String:...
ZyWALL 5/35/70 Series User’s Guide To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
ZyWALL 5/35/70 Series User’s Guide Table 208 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
ZyWALL 5/35/70 Series User’s Guide Figure 318 Menu 11.3: Remote Node Profile (Backup ISP) Menu 11.3 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My Password= ******** Telco Option: Retype to Confirm= ********...
ZyWALL 5/35/70 Series User’s Guide Table 209 Menu 11.3: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 34.8 on page 570 for more information.
ZyWALL 5/35/70 Series User’s Guide Figure 319 Menu 11.3.1: Remote Node PPP Options Menu 11.3.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
ZyWALL 5/35/70 Series User’s Guide Figure 320 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 15 Private= No...
ZyWALL 5/35/70 Series User’s Guide Table 211 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
ZyWALL 5/35/70 Series User’s Guide You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a ‘Send’...
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 212 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
ZyWALL 5/35/70 Series User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
ZyWALL 5/35/70 Series User’s Guide Figure 324 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
ZyWALL 5/35/70 Series User’s Guide Figure 326 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1...
ZyWALL 5/35/70 Series User’s Guide Table 213 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
ZyWALL 5/35/70 Series User’s Guide 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 580
ZyWALL 5/35/70 Series User’s Guide Table 215 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 216 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
ZyWALL 5/35/70 Series User’s Guide 36.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
ZyWALL 5/35/70 Series User’s Guide Figure 330 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
ZyWALL 5/35/70 Series User’s Guide H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 331 Menu 5: DMZ Setup Menu 5 - DMZ Setup...
ZyWALL 5/35/70 Series User’s Guide 37.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 333 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2.
ZyWALL 5/35/70 Series User’s Guide 37.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. This chapter applies to the ZyWALL 35 and ZyWALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 336 Menu 6: Route Setup Menu 6 - Route Setup 1.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 219 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility.
ZyWALL 5/35/70 Series User’s Guide Table 220 Menu 6.2: Traffic Redirect FIELD DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.5 on page 151) The smaller the number, the higher...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Wireless Setup Use menu 7 to set up your ZyWALL as the wireless access point. 39.1 Wireless LAN Setup Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
ZyWALL 5/35/70 Series User’s Guide Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 222 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off Wireless LAN by default.
ZyWALL 5/35/70 Series User’s Guide 39.1.1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Follow the steps below to create the MAC address table on your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 223 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Address 1..12 Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are allowed or denied access to the ZyWALL in these address fields. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide Figure 343 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None TCP/IP Setup: Client IP Pool: Starting Address= N/A IP Address= 0.0.0.0 Size of Client IP Pool= N/A IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A...
ZyWALL 5/35/70 Series User’s Guide Figure 344 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 224 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters.
ZyWALL 5/35/70 Series User’s Guide 40.3.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Figure 347 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe...
ZyWALL 5/35/70 Series User’s Guide 40.3.2.3 Metric Section 8.5 on page 151 for details on the Metric field. Table 225 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
ZyWALL 5/35/70 Series User’s Guide Figure 348 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
ZyWALL 5/35/70 Series User’s Guide Figure 349 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
ZyWALL 5/35/70 Series User’s Guide Table 227 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
ZyWALL 5/35/70 Series User’s Guide Figure 352 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
ZyWALL 5/35/70 Series User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 41.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
ZyWALL 5/35/70 Series User’s Guide Figure 354 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL:...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 42.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 355 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 230 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
ZyWALL 5/35/70 Series User’s Guide 42.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 358 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 42.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also...
ZyWALL 5/35/70 Series User’s Guide Note: Menu 15.1.255 is read-only. Table 231 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
ZyWALL 5/35/70 Series User’s Guide Figure 360 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Action= None...
ZyWALL 5/35/70 Series User’s Guide Note: You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken. Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.
ZyWALL 5/35/70 Series User’s Guide Table 233 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Server This field is available only when you select Server in the Type field. Mapping Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…”...
ZyWALL 5/35/70 Series User’s Guide Figure 363 Menu 15.2.1: NAT Server Sets Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
ZyWALL 5/35/70 Series User’s Guide Figure 364 15.2.1.2: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1 Index= 2 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 365 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
ZyWALL 5/35/70 Series User’s Guide Figure 367 NAT Example 1 Figure 368 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic...
ZyWALL 5/35/70 Series User’s Guide 42.4.2 Example 2: Internet Access with a Default Server Figure 369 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
ZyWALL 5/35/70 Series User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
ZyWALL 5/35/70 Series User’s Guide Figure 372 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A...
ZyWALL 5/35/70 Series User’s Guide Figure 374 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
ZyWALL 5/35/70 Series User’s Guide 42.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
ZyWALL 5/35/70 Series User’s Guide Figure 378 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1...
ZyWALL 5/35/70 Series User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN ports, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN port.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 43.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
ZyWALL 5/35/70 Series User’s Guide Figure 381 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
ZyWALL 5/35/70 Series User’s Guide 44.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
ZyWALL 5/35/70 Series User’s Guide Figure 383 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 5/35/70 Series User’s Guide 44.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 384 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
ZyWALL 5/35/70 Series User’s Guide Table 236 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
ZyWALL 5/35/70 Series User’s Guide To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Page 639
ZyWALL 5/35/70 Series User’s Guide Table 238 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Destination IP Addr Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. Port # Enter the destination port of the packets that you wish to filter.
ZyWALL 5/35/70 Series User’s Guide Figure 387 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 44 Filter Configuration...
ZyWALL 5/35/70 Series User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
ZyWALL 5/35/70 Series User’s Guide Table 239 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No.
ZyWALL 5/35/70 Series User’s Guide 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Figure 390 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes...
ZyWALL 5/35/70 Series User’s Guide M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example).
ZyWALL 5/35/70 Series User’s Guide 44.5.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed. • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
ZyWALL 5/35/70 Series User’s Guide 6 The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
ZyWALL 5/35/70 Series User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 45.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
ZyWALL 5/35/70 Series User’s Guide Table 240 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
ZyWALL 5/35/70 Series User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
ZyWALL 5/35/70 Series User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 398 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 08:17:55 Wed.
ZyWALL 5/35/70 Series User’s Guide Table 242 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Rx B/s This field shows the reception speed in Bytes per second on this port. Up Time This is the total amount of time the line has been up. Ethernet Address This is the MAC address of the port listed on the left.
ZyWALL 5/35/70 Series User’s Guide Figure 400 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 401 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 46.4 Log and Trace There are two logging facilities in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next: 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board...
ZyWALL 5/35/70 Series User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP")
ZyWALL 5/35/70 Series User’s Guide 46.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 405 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
ZyWALL 5/35/70 Series User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 406 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1.
ZyWALL 5/35/70 Series User’s Guide Table 245 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Page 662
ZyWALL 5/35/70 Series User’s Guide Chapter 46 System Information & Diagnosis...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 47.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.
ZyWALL 5/35/70 Series User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
ZyWALL 5/35/70 Series User’s Guide Figure 408 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
ZyWALL 5/35/70 Series User’s Guide 47.3.3 Example of FTP Commands from the Command Line Figure 409 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds...
ZyWALL 5/35/70 Series User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 47.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
ZyWALL 5/35/70 Series User’s Guide 47.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 248 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
ZyWALL 5/35/70 Series User’s Guide Figure 412 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
ZyWALL 5/35/70 Series User’s Guide Figure 414 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
ZyWALL 5/35/70 Series User’s Guide 47.4.2 Restore Using FTP Session Example Figure 415 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
ZyWALL 5/35/70 Series User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 419 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 47.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
ZyWALL 5/35/70 Series User’s Guide Figure 420 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
ZyWALL 5/35/70 Series User’s Guide 47.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
ZyWALL 5/35/70 Series User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –...
ZyWALL 5/35/70 Series User’s Guide Figure 423 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
ZyWALL 5/35/70 Series User’s Guide Figure 425 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 678
ZyWALL 5/35/70 Series User’s Guide Chapter 47 Firmware and Configuration File Maintenance...
ZyWALL 5/35/70 Series User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 48.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 428 Valid Commands Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ras> ? Valid commands are:...
ZyWALL 5/35/70 Series User’s Guide Table 249 Valid Commands COMMAND DESCRIPTION These commands configure bandwidth management settings and display bandwidth management information. These commands configure intrusion detection and prevention settings. These commands configure anti-virus settings. These commands configure anti-spam settings. certificates These commands display certificate information and configure certificate settings.
ZyWALL 5/35/70 Series User’s Guide Figure 430 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
ZyWALL 5/35/70 Series User’s Guide Figure 431 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 251 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
ZyWALL 5/35/70 Series User’s Guide Figure 432 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
ZyWALL 5/35/70 Series User’s Guide Table 252 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 686
ZyWALL 5/35/70 Series User’s Guide Table 252 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
ZyWALL 5/35/70 Series User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 49.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: •...
ZyWALL 5/35/70 Series User’s Guide Figure 434 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert...
ZyWALL 5/35/70 Series User’s Guide 49.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11.
ZyWALL 5/35/70 Series User’s Guide H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
ZyWALL 5/35/70 Series User’s Guide Table 254 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 255 on page 692 detailed information.
ZyWALL 5/35/70 Series User’s Guide 1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary. 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure).
ZyWALL 5/35/70 Series User’s Guide Table 256 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end;...
ZyWALL 5/35/70 Series User’s Guide Figure 437 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 438 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
ZyWALL 5/35/70 Series User’s Guide Figure 439 IP Routing Policy Example 1 Menu 25.1 - IP Routing Policy Setup Rule Index= 1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 192.168.1.33 end= 192.168.1.64...
ZyWALL 5/35/70 Series User’s Guide Figure 440 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup Rule Index= 2 Active= No Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 0.0.0.0 end= N/A...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
ZyWALL 5/35/70 Series User’s Guide Table 258 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line.
ZyWALL 5/35/70 Series User’s Guide Figure 444 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
ZyWALL 5/35/70 Series User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
ZyWALL 5/35/70 Series User’s Guide 52.3 Problems with the DMZ Interface Table 261 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide servers on the DMZ for DMZ connection instructions. from the LAN.
ZyWALL 5/35/70 Series User’s Guide 52.5 Problems Accessing the ZyWALL Table 263 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the The default password is “1234”. The password field is case sensitive. Make sure ZyWALL. that you enter the correct password using the proper casing. Use the Reset button to restore the factory default configuration file.
ZyWALL 5/35/70 Series User’s Guide • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. 52.5.1.1 Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
ZyWALL 5/35/70 Series User’s Guide Figure 446 Internet Options: Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.
ZyWALL 5/35/70 Series User’s Guide Figure 447 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Chapter 52 Troubleshooting...
ZyWALL 5/35/70 Series User’s Guide Figure 448 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
ZyWALL 5/35/70 Series User’s Guide Figure 449 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
ZyWALL 5/35/70 Series User’s Guide Figure 450 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
ZyWALL 5/35/70 Series User’s Guide Figure 451 Security Settings - Java 52.5.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window.
ZyWALL 5/35/70 Series User’s Guide Figure 452 Java (Sun) 52.6 Packet Flow The following is the packet check flow on the ZyWALL. LAN/DMZ/WLAN to WAN: LAN/DMZ Data and Call Filtering (in SMT menu 21) -> Firewall -> IDP -> Anti-Virus -> Anti-Spam -> Remote Node Data Filtering (in SMT menu 21) ->...
Page 714
ZyWALL 5/35/70 Series User’s Guide Chapter 52 Troubleshooting...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 264 Device Specifications Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234...
ZyWALL 5/35/70 Series User’s Guide Table 266 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP...
ZyWALL 5/35/70 Series User’s Guide Table 267 Feature Specifications (continued) MODEL # FEATURE Number of Concurrent E-mail Sessions with Anti-Spam Enabled Number of Anti-Spam Whitelist and 12,288 Kb 6,144 Kb 3,072 Kb Individual entries Blacklist Entries Individual Individual my vary in size. The total entries my entries my number you can configure...
ZyWALL 5/35/70 Series User’s Guide Note: Only certain ZyXEL wireless LAN cards are compatible with the ZyWALL. Do not force, bend or twist the wireless LAN card or ZyWALL Turbo Card. Figure 453 WLAN Card Installation Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment).
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them.
ZyWALL 5/35/70 Series User’s Guide Figure 456 Attaching Rubber Feet Note: Do not block the ventilation holes. Leave space between ZyWALLs when stacking. Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
ZyWALL 5/35/70 Series User’s Guide Figure 457 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws.
Page 726
ZyWALL 5/35/70 Series User’s Guide Appendix B Hardware Installation...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. Note: If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications.
Page 728
ZyWALL 5/35/70 Series User’s Guide Appendix C Removing and Installing a Fuse...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
ZyWALL 5/35/70 Series User’s Guide Figure 459 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
ZyWALL 5/35/70 Series User’s Guide 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
ZyWALL 5/35/70 Series User’s Guide Figure 461 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
ZyWALL 5/35/70 Series User’s Guide Figure 462 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 463 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix D Setting up Your Computer’s IP Address...
ZyWALL 5/35/70 Series User’s Guide Figure 464 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 465 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
ZyWALL 5/35/70 Series User’s Guide • Click Advanced. Figure 466 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
ZyWALL 5/35/70 Series User’s Guide Figure 467 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). •...
ZyWALL 5/35/70 Series User’s Guide Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
ZyWALL 5/35/70 Series User’s Guide Figure 469 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 470 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: Appendix D Setting up Your Computer’s IP Address...
ZyWALL 5/35/70 Series User’s Guide • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel.
ZyWALL 5/35/70 Series User’s Guide Figure 472 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
ZyWALL 5/35/70 Series User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
ZyWALL 5/35/70 Series User’s Guide • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
ZyWALL 5/35/70 Series User’s Guide • If you have a dynamic IP address, enter in the dhcp BOOTPROTO= field. The following figure shows an example. Figure 477 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet •...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID.
ZyWALL 5/35/70 Series User’s Guide The following table shows the network number and host ID arrangement for classes A, B and Table 270 Classes of IP Addresses IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class A Network number Host ID Host ID Host ID...
ZyWALL 5/35/70 Series User’s Guide Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the IP address is part of the network number.
ZyWALL 5/35/70 Series User’s Guide Table 273 Alternative Subnet Mask Notation (continued) SUBNET MASK SUBNET MASK “1” BITS LAST OCTET BIT VALUE DECIMAL 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used.
ZyWALL 5/35/70 Series User’s Guide Table 275 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.126 192.168.1.127 Table 276 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
ZyWALL 5/35/70 Series User’s Guide Table 277 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 Table 278 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address...
ZyWALL 5/35/70 Series User’s Guide The following table shows class C IP address last octet values for each subnet. Table 281 Eight Subnets BROADCAST SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS ADDRESS The following table is a summary for class “C” subnet planning. Table 282 Class C Subnet Planning NO.
ZyWALL 5/35/70 Series User’s Guide The following table is a summary for class “B” subnet planning. Table 283 Class B Subnet Planning NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20)
ZyWALL 5/35/70 Series User’s Guide Appendix F Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 754
ZyWALL 5/35/70 Series User’s Guide Table 284 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICMP User-Defined Internet Control Message Protocol is often...
Page 755
ZyWALL 5/35/70 Series User’s Guide Table 284 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 756
ZyWALL 5/35/70 Series User’s Guide Appendix F Common Services...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C).
ZyWALL 5/35/70 Series User’s Guide Figure 483 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
ZyWALL 5/35/70 Series User’s Guide Figure 484 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.
ZyWALL 5/35/70 Series User’s Guide Figure 485 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
ZyWALL 5/35/70 Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Page 762
ZyWALL 5/35/70 Series User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: •...
ZyWALL 5/35/70 Series User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...
ZyWALL 5/35/70 Series User’s Guide 3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP- TTLS, PEAP and LEAP.
Page 765
ZyWALL 5/35/70 Series User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.
ZyWALL 5/35/70 Series User’s Guide Figure 487 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.
ZyWALL 5/35/70 Series User’s Guide If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption.
ZyWALL 5/35/70 Series User’s Guide The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations.
ZyWALL 5/35/70 Series User’s Guide Roaming A wireless station is a device with an IEEE 802.11 mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.
Page 770
ZyWALL 5/35/70 Series User’s Guide 3 Access point P2 acknowledges the presence of wireless station Y and relays this information to access point P1 through the wired LAN. 4 Access point P1 updates the new position of wireless station. 5 Wireless station Y sends a request to access point P2 for re-authentication. Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas.
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
ZyWALL 5/35/70 Series User’s Guide Figure 491 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 492 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
ZyWALL 5/35/70 Series User’s Guide Figure 493 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 494 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Appendix H Windows 98 SE/Me Requirements for Anti-Virus Message Display...
ZyWALL 5/35/70 Series User’s Guide Figure 495 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 489 on page 771). Appendix H Windows 98 SE/Me Requirements for Anti-Virus Message Display...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes •...
ZyWALL 5/35/70 Series User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
ZyWALL 5/35/70 Series User’s Guide Figure 497 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router. Appendix I VPN Setup...
ZyWALL 5/35/70 Series User’s Guide Figure 498 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. Appendix I VPN Setup...
ZyWALL 5/35/70 Series User’s Guide Figure 499 Headquarters VPN Rule Figure 500 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. Appendix I VPN Setup...
ZyWALL 5/35/70 Series User’s Guide Figure 501 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets. Appendix I VPN Setup...
ZyWALL 5/35/70 Series User’s Guide Figure 502 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
ZyWALL 5/35/70 Series User’s Guide Figure 503 VPN Rule Configured The following screen displays. Figure 504 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 505 VPN Tunnel Established Appendix I VPN Setup...
ZyWALL 5/35/70 Series User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem.
ZyWALL 5/35/70 Series User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
ZyWALL 5/35/70 Series User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
ZyWALL 5/35/70 Series User’s Guide Figure 509 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 510 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix J Importing Certificates...
ZyWALL 5/35/70 Series User’s Guide Figure 511 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 512 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix J Importing Certificates...
ZyWALL 5/35/70 Series User’s Guide Figure 515 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
ZyWALL 5/35/70 Series User’s Guide Figure 516 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
ZyWALL 5/35/70 Series User’s Guide Figure 517 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
ZyWALL 5/35/70 Series User’s Guide Figure 518 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 519 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
ZyWALL 5/35/70 Series User’s Guide Figure 520 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 521 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
ZyWALL 5/35/70 Series User’s Guide Figure 522 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 523 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
ZyWALL 5/35/70 Series User’s Guide Figure 527 Displaying Log Categories Example ras> sys logs category 8021x access attack display error icmp ipsec javablocked mten packetfilter remote tcpreset traffic upnp urlblocked urlforward wireless 3 Use followed by a log category to display the parameters that are sys logs category available for the category.
ZyWALL 5/35/70 Series User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
ZyWALL 5/35/70 Series User’s Guide Figure 529 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request.
ZyWALL 5/35/70 Series User’s Guide A backup gateway (as in the following graphic) is an example of when you might want to turn on the forced update for gratuitous ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address.
ZyWALL 5/35/70 Series User’s Guide Figure 531 Managing the Bandwidth of an IPSec SA with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router.
ZyWALL 5/35/70 Series User’s Guide Setting the Key Length for Phase 2 IPSec AES Encryption Syntax: ipsec ipsecConfig encryKeyLen <0:128 | 1:192 | 2:256> By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key.
Page 806
ZyWALL 5/35/70 Series User’s Guide Appendix K Command Interpreter...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. See Appendix K on page 799 for information on the command structure. Table 288 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up This command turns the firewall on or off.
Page 808
ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 809
ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 810
ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set ZyWALL creates logs for packets that match #>...
Page 811
ZyWALL 5/35/70 Series User’s Guide Table 288 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 812
ZyWALL 5/35/70 Series User’s Guide Appendix L Firewall Commands...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix K on page 799 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
ZyWALL 5/35/70 Series User’s Guide The filter types and their default settings are as follows. Table 289 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block...
Page 815
ZyWALL 5/35/70 Series User’s Guide This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on sys filter netbios This command stops NetBIOS commands from initiating calls. config 4 off Appendix M NetBIOS Filter Commands...
Page 816
ZyWALL 5/35/70 Series User’s Guide Appendix M NetBIOS Filter Commands...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Certificates Commands The following describes the certificate commands. See Appendix K on page 799 information on the command structure. All of these commands start with certificates. Table 290 Certificates Commands COMMAND DESCRIPTION my_cert...
Page 818
ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 819
ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. ca_trusted Import the PEM-encoded certificate from stdin.
Page 820
ZyWALL 5/35/70 Series User’s Guide Table 290 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 822
ZyWALL 5/35/70 Series User’s Guide Appendix O Brute-Force Password Guessing Protection...
ZyWALL 5/35/70 Series User’s Guide P P E N D I X Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
ZyWALL 5/35/70 Series User’s Guide Figure 535 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show...
ZyWALL 5/35/70 Series User’s Guide Index Numerics real-time alert message scanner types Windows 98/Me requirements 10/100 Mbps DMZ anti-virus scan packet types 10/100 Mbps LAN 56, 594, 759 10/100 Mbps WAN Application Layer Gateway. See ALG. 9600 baud applications Arial font, bold asymmetrical routes vs virtual interfaces AT command...
Page 826
ZyWALL 5/35/70 Series User’s Guide blacklist 288, 296 command line bold commands Arial font Times New Roman font computer names 132, 134 boot sector virus computer virus BPDU infection and prevention types bridge firewall 57, 74, 143, 539, 540 concurrent e-mail sessions Bridge Protocol Data Unit.
Page 827
ZyWALL 5/35/70 Series User’s Guide use server detected IP e-Mule wildcard Encapsulating Security Payload. See ESP. default configuration encapsulation 582, 601, 604 default server IP address and active protocol transport mode default settings tunnel mode Denial of Service. See DoS. device introduction encryption DHCP...
Page 828
ZyWALL 5/35/70 Series User’s Guide filter 574, 585, 606, 633 full-duplex 56, 57 and NAT fuse applying replacement configuration type configuring example filter rule execution generic filter rule incoming protocol IP filter logic flow gateway IP address 582, 605, 610 protocol general setup 531, 557...
Page 829
ZyWALL 5/35/70 Series User’s Guide and certificates active protocol and RADIUS authentication algorithms 327, 333 authentication algorithms 327, 333 authentication key (manual keys) Diffie-Hellman key group encapsulation encryption algorithms 327, 333 encryption algorithms 327, 333 extended authentication encryption key (manual keys) ID content local policy ID type...
Page 830
ZyWALL 5/35/70 Series User’s Guide MAC Service Data Unit. See MSDU. mapping types NAT unfriendly applications macro virus One to One mail sessions threshold ordering rules main menu commands port forwarding maintenance port restricted cone Management Information Base. See MIB. Server server set managing subscription services...
Page 831
ZyWALL 5/35/70 Series User’s Guide Point-to-Point Protocol over Ethernet. See PPPoE Point-to-Point Tunneling Protocol. See PPTP. policy actions Quality of Service. See QoS. types query view (IDP) policy query, IDP Quick Start Guide policy routing 417, 691 quick start guide benefits cost savings criteria...
Page 832
ZyWALL 5/35/70 Series User’s Guide required fields life time reset button 57, 68 safety warnings resetting the time scanner types resetting the ZyWALL schedule 601, 604 duration restore configuration 545, 669 via console port scheduler restoring factory defaults searching for IDP signatures restoring files secure FTP using SSH via console port...
Page 833
ZyWALL 5/35/70 Series User’s Guide GetNext manager 468, 469 target market password task bar properties Trap TCP maximum incomplete trusted host TCP/IP SNMP service and DHCP Ethernet setup source address filter rule setup source-based routing Telnet SPACE BAR Temporal Key Integrity Protocol. See TKIP. spam score terminal emulation...
Page 834
ZyWALL 5/35/70 Series User’s Guide unicast file maintenance Universal Plug and Play. See UPnP. port unsolicited commercial e-mail WAN backup upgrading firmware WAN DHCP upload WAN IP address firmware WAN setup UPnP 475, 476 examples warranty forum note NAT traversal web attack port mapping web configurator...
Page 835
ZyWALL 5/35/70 Series User’s Guide ZyNOS 654, 664 ZyWALL registration ZyXEL’s Network Operating System. See ZyNOS. Index...