Page 1 ZyWALL 2WG Internet Security Appliance User’s Guide Version 4.03 12/2007 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Server Telephone ZyWALL 2WG User’s Guide Computer Notebook computer DSLAM Firewall Switch Router Document Conventions...
Page 6: Safety Warnings
Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7 • Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). • If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. This product is recyclable.
Page 8 Safety Warnings ZyWALL 2WG User’s Guide...
Page 9: Table Of Contents
Introduction ... 51 Getting to Know Your ZyWALL ... 53 Introducing the Web Configurator ... 57 Wizard Setup ... 81 Tutorial ... 101 Registration ... 141 Network and Wireless ...145 LAN Screens ... 147 Bridge Screens ... 159 WAN Screens ... 165 DMZ Screens ...
Page 10 Contents Overview SMT ... 529 Introducing the SMT ... 531 SMT Menu 1 - General Setup ... 539 WAN and Dial Backup Setup ... 545 LAN Setup ... 559 Internet Access ... 565 DMZ Setup ... 571 Route Setup ... 575 Wireless Setup ...
Page 11: Table Of Contents
About This User's Guide ... 3 Document Conventions... 4 Safety Warnings... 6 Contents Overview ... 9 Table of Contents... 11 List of Figures ... 29 List of Tables... 43 Part I: Introduction... 51 Chapter 1 Getting to Know Your ZyWALL... 53 1.1 ZyWALL Internet Security Appliance Overview ...
Page 12 Table of Contents 2.4.5 Navigation Panel ... 70 2.4.6 Port Statistics 2.4.7 Show Statistics: Line Chart ... 75 2.4.8 DHCP Table Screen 2.4.9 VPN Status ... 77 2.4.10 Bandwidth Monitor ... 78 Chapter 3 Wizard Setup ... 81 3.1 Wizard Setup Overview ... 81 3.2 Internet Access ...
Page 13 4.5.3 Assign Bob’s Computer a Specific IP Address ... 136 4.5.4 Create a Content Filter Policy for Bob ... 136 4.5.5 Set the Content Filter Schedule ... 137 4.5.6 Block Categories of Web Content for Bob ... 138 Chapter 5 Registration ...
Page 14 Table of Contents 8.1 WAN Overview ... 165 8.2 Multiple WAN ... 165 8.3 Load Balancing Introduction ... 166 8.4 Load Balancing Algorithms ... 166 8.4.1 Least Load First ... 166 8.4.2 Weighted Round Robin ... 167 8.4.3 Spillover ... 168 8.5 WAN Interface to Local Host Mapping Timeout ...
Page 15 10.1 Wireless LAN Introduction ...211 10.2 Configuring WLAN ... 212 10.3 WLAN Static DHCP 10.4 WLAN IP Alias ... 216 10.5 WLAN Port Roles ... 218 10.6 Wireless Security Overview ... 220 10.6.1 SSID ... 221 10.6.2 MAC Address Filter ... 221 10.6.3 User Authentication ...
Page 16 Table of Contents 11.11 Firewall Thresholds 11.11.1 Threshold Values ... 262 11.12 Threshold Screen ... 262 11.13 Service ... 264 11.13.1 Firewall Edit Custom Service ... 265 11.14 My Service Firewall Rule Example ... 266 Chapter 12 Content Filtering Screens ... 271 12.1 Content Filtering Overview ...
Page 17 14.4.3 Encryption and Authentication Algorithms ...311 14.5 VPN Rules (IKE) Gateway Policy Edit ... 312 14.6 IPSec SA Overview 14.6.1 Local and Remote Networks ... 318 14.6.2 Virtual Address Mapping ... 319 14.6.3 Active Protocol ... 320 14.6.4 Encapsulation ... 320 14.6.5 IPSec SA Proposal and Perfect Forward Secrecy ...
Page 18 Table of Contents 15.7.1 Certificate File Export Formats ... 356 15.8 My Certificate Import 15.8.1 Certificate File Formats ... 357 15.9 My Certificate Create ... 359 15.10 Trusted CAs ... 364 15.11 Trusted CA Details ... 366 15.12 Trusted CA Import 15.13 Trusted Remote Hosts ...
Page 19 17.5.3 Configuring Servers Behind Port Forwarding (Example) ... 395 17.5.4 NAT and Multiple WAN ... 396 17.5.5 Port Translation ... 396 17.6 Port Forwarding Screen ... 397 17.7 Port Triggering ... 399 Chapter 18 Static Route ... 401 18.1 IP Static Route ...
Page 20 Table of Contents Chapter 21 DNS ... 427 21.1 DNS Overview ... 427 21.2 DNS Server Address Assignment ... 427 21.3 DNS Servers ... 427 21.4 Address Record ... 428 21.4.1 DNS Wildcard ... 428 21.5 Name Server Record ... 428 21.5.1 Private DNS Server ...
Page 21 22.13 FTP ... 453 22.14 SNMP ... 454 22.14.1 Supported MIBs ... 455 22.14.2 SNMP Traps ... 456 22.14.3 REMOTE MANAGEMENT: SNMP ... 456 22.15 DNS ... 457 22.16 Introducing Vantage CNM ... 458 22.17 Configuring CNM ... 458 22.17.1 Additional Configuration for Vantage CNM ... 460 Chapter 23 UPnP ...
Page 22 Table of Contents 25.5.2 SIP ALG Details ... 476 25.5.3 SIP Signaling Session Timeout ... 477 25.5.4 SIP Audio Session Timeout ... 477 25.6 ALG Screen ... 477 Part V: Logs and Maintenance... 479 Chapter 26 Logs Screens ... 481 26.1 Configuring View Log ...
Page 23 27.13 Diagnostics ... 526 Part VI: SMT... 529 Chapter 28 Introducing the SMT ... 531 28.1 Introduction to the SMT ... 531 28.2 Accessing the SMT via the Console Port ... 531 28.2.1 Initial Screen ... 531 28.2.2 Entering the Password ... 532 28.3 Navigating the SMT Interface ...
Page 24 Table of Contents 31.3 LAN Port Filter Setup ... 559 31.4 TCP/IP and DHCP Ethernet Setup Menu ... 560 31.4.1 IP Alias Setup ... 563 Chapter 32 Internet Access ... 565 32.1 Introduction to Internet Access Setup ... 565 32.2 Ethernet Encapsulation ... 565 32.3 Configuring the PPTP Client ...
Page 25 Chapter 37 IP Static Route Setup... 591 37.1 IP Static Route Setup ... 591 Chapter 38 Network Address Translation (NAT)... 595 38.1 Using NAT ... 595 38.1.1 SUA (Single User Account) Versus NAT ... 595 38.1.2 Applying NAT ... 595 38.2 NAT Setup ...
Page 26 Table of Contents Chapter 41 SNMP Configuration ... 633 41.1 SNMP Configuration ... 633 41.2 SNMP Traps ... 634 Chapter 42 System Information & Diagnosis... 635 42.1 Introduction to System Status ... 635 42.2 System Status ... 635 42.3 System Information and Console Port Speed ... 637 42.3.1 System Information ...
Page 27 43.5.6 TFTP Upload Command Example ... 658 43.5.7 Uploading Via Console Port ... 658 43.5.8 Uploading Firmware File Via Console Port ... 658 43.5.9 Example Xmodem Firmware Upload Using HyperTerminal ... 659 43.5.10 Uploading Configuration File Via Console Port ... 659 43.5.11 Example Xmodem Configuration Upload Using HyperTerminal ...
Page 28 Table of Contents Chapter 49 Product Specifications ... 693 49.1 General ZyWALL Specifications ... 693 49.2 Compatible 3G Cards ... 696 49.3 3G Card Installation ... 697 49.4 Wall-mounting Instructions ... 697 49.5 Power Adaptor Specifications ... 699 49.6 Cable Pin Assignments ... 700 Part VIII: Appendices and Index ...
Page 29: List Of Figures
List of Figures List of Figures Figure 1 Secure Internet Access via Cable or DSL Modem ... 54 Figure 2 VPN Application ... 55 Figure 3 3G WAN Application ... 55 Figure 4 Front Panel ... 56 Figure 5 Change Password Screen ... 58 Figure 6 Replace Certificate Screen ...
Page 30 List of Figures Figure 39 SECURITY > FIREWALL > Rule Summary ... 106 Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow ... 107 Figure 41 SECURITY > FIREWALL > Rule Summary: Allow ... 108 Figure 42 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ... 108 Figure 43 Tutorial Example: Using NAT with Static Public IP Addresses ...
Page 31 List of Figures Figure 82 SECURITY > CONTENT FILTER > Policy > External Database (Default) ... 135 Figure 83 HOME > DHCP Table ... 136 Figure 84 SECURITY > CONTENT FILTER > Policy ... 136 Figure 85 SECURITY > CONTENT FILTER > Policy > Insert ... 137 Figure 86 SECURITY >...
Page 32 List of Figures Figure 125 DMZ Private and Public Address Example ... 209 Figure 126 NETWORK > DMZ > Port Roles ... 210 Figure 127 Example of a Wireless Network ...211 Figure 128 NETWORK > WLAN ... 213 Figure 129 NETWORK > WLAN > Static DHCP ... 216 Figure 130 NETWORK >...
Page 33 List of Figures Figure 168 My Service Firewall Rule Example: Rule Edit: Source and Destination Addresses ... 268 Figure 169 My Service Firewall Rule Example: Edit Rule: Service Configuration ... 269 Figure 170 My Service Firewall Rule Example: Rule Summary: Completed ... 270 Figure 171 Content Filtering Lookup Procedure ...
Page 34 List of Figures Figure 211 SECURITY > VPN > VPN Rules (Manual) > Edit ... 335 Figure 212 SECURITY > VPN > SA Monitor ... 338 Figure 213 Overlap in a Dynamic VPN Rule ... 339 Figure 214 Overlap in IP Alias and VPN Remote Networks ... 340 Figure 215 SECURITY >...
Page 35 List of Figures Figure 254 ADVANCED > STATIC ROUTE > IP Static Route > Edit ... 403 Figure 255 ADVANCED > POLICY ROUTE > Policy Route Summary ... 406 Figure 256 Edit IP Policy Route ... 408 Figure 257 Subnet-based Bandwidth Management Example ... 412 Figure 258 ADVANCED >...
Page 36 List of Figures Figure 297 H.323 with Multiple WAN IP Addresses ... 475 Figure 298 H.323 Calls from the WAN with Multiple Outgoing Calls ... 476 Figure 299 SIP ALG Example ... 477 Figure 300 ADVANCED > ALG ... 478 Figure 301 LOGS >...
Page 37 List of Figures Figure 340 Menu 2.1: Advanced WAN Setup ... 548 Figure 341 Menu 11.3: Remote Node Profile (Backup ISP) ... 549 Figure 342 Menu 11.3.2: Remote Node Network Layer Options ... 551 Figure 343 Menu 11.3.3: Remote Node Script ... 553 Figure 344 Menu 11.3.4: Remote Node Filter ...
Page 38 List of Figures Figure 383 Menu 15.2: NAT Server Sets ... 602 Figure 384 Menu 15.2.x: NAT Server Sets ... 603 Figure 385 15.2.x.x: NAT Server Configuration ... 603 Figure 386 Menu 15.2.1: NAT Server Setup ... 604 Figure 387 Server Behind NAT Example ... 605 Figure 388 NAT Example 1 ...
Page 39 List of Figures Figure 426 Call-Triggering Packet Example ... 644 Figure 427 Menu 24.4: System Maintenance: Diagnostic ... 645 Figure 428 WAN & LAN DHCP ... 645 Figure 429 Telnet into Menu 24.5 ... 649 Figure 430 FTP Session Example ... 649 Figure 431 System Maintenance: Backup Configuration ...
Page 40 List of Figures Figure 469 Pop-up Blocker ... 705 Figure 470 Internet Options: Privacy ... 706 Figure 471 Internet Options: Privacy ... 707 Figure 472 Pop-up Blocker Settings ... 707 Figure 473 Internet Options: Security ... 708 Figure 474 Security Settings - Java Scripting ... 709 Figure 475 Security Settings - Java ...
Page 41 List of Figures Figure 512 Login Screen ... 756 Figure 513 Certificate General Information before Import ... 756 Figure 514 Certificate Import Wizard 1 ... 757 Figure 515 Certificate Import Wizard 2 ... 757 Figure 516 Certificate Import Wizard 3 ... 758 Figure 517 Root Certificate Store ...
Page 42 List of Figures ZyWALL 2WG User’s Guide...
Page 43: List Of Tables
List of Tables List of Tables Table 1 Front Panel Lights ... 56 Table 2 Title Bar: Web Configurator Icons ... 60 Table 3 Web Configurator HOME Screen in Router Mode ... 62 Table 4 Web Configurator HOME Screen in Bridge Mode ... 67 Table 5 Bridge and Router Mode Features Comparison ...
Page 44 List of Tables Table 39 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) ... 182 Table 40 NETWORK > WAN > WAN 1 (PPTP Encapsulation) ... 185 Table 41 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies ... 188 Table 42 NETWORK > WAN > WAN 2 (3G WAN) ... 190 Table 43 NETWORK >...
Page 45 List of Tables Table 82 SECURITY > CONTENT FILTER > Object ... 289 Table 83 SECURITY > CONTENT FILTER > Cache ... 292 Table 84 SECURITY > VPN > VPN Rules (IKE) ... 304 Table 85 VPN Example: Matching ID Type and Content ... 307 Table 86 VPN Example: Mismatching ID Type and Content ...
Page 46 List of Tables Table 125 Application and Subnet-based Bandwidth Management Example ... 412 Table 126 Maximize Bandwidth Usage Example ... 414 Table 127 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ... 414 Table 128 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example ... 415 Table 129 Bandwidth Borrowing Example ...
Page 47 List of Tables Table 168 ICMP Logs ... 495 Table 169 CDR Logs ... 496 Table 170 PPP Logs ... 496 Table 171 3G Logs ... 496 Table 172 UPnP Logs ... 498 Table 173 Content Filtering Logs ... 498 Table 174 Attack Logs ...
Page 48 List of Tables Table 211 Menu 3.2: LAN TCP/IP Setup Fields ... 562 Table 212 Menu 3.2.1: IP Alias Setup ... 563 Table 213 Menu 4: Internet Access Setup (Ethernet) ... 566 Table 214 New Fields in Menu 4 (PPTP) Screen ... 568 Table 215 New Fields in Menu 4 (PPPoE) screen ...
Page 49 List of Tables Table 254 Firmware Specifications ... 694 Table 255 Feature Specifications ... 695 Table 256 3G Features Supported By Compatible 3G Cards ... 696 Table 257 Console Cable Pin Assignments ... 700 Table 258 Console Cable Pin Assignments ... 700 Table 259 Ethernet Cable Pin Assignments ...
Page 50 List of Tables ZyWALL 2WG User’s Guide...
Page 51: Introduction
Introduction Getting to Know Your ZyWALL (53) Introducing the Web Configurator (57) Wizard Setup (81) Tutorial (101) Registration (141)
Page 53: Getting To Know Your Zywall
H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates.
Page 54: Good Habits For Managing The Zywall
Chapter 1 Getting to Know Your ZyWALL • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server. 1.3 Good Habits for Managing the ZyWALL Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively.
Page 55: Vpn Application
1.4.2 VPN Application ZyWALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites. Figure 2 VPN Application 1.4.3 3G WAN Application Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station.
Page 56: Front Panel Lights
Chapter 1 Getting to Know Your ZyWALL 1.4.4 Front Panel Lights Figure 4 Front Panel The following table describes the lights. Table 1 Front Panel Lights COLOR Green LAN/DMZ 10/ Green Orange Green Orange Green WLAN Green CARD Green Orange STATUS DESCRIPTION The ZyWALL is turned off.
Page 57: Introducing The Web Configurator
H A P T E R This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions.
Page 58: Figure 5 Change Password Screen
Chapter 2 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 5 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Page 59: Resetting The Zywall
2.3 Resetting the ZyWALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory- default configuration file.
Page 60: Navigating The Zywall Web Configurator
Chapter 2 Introducing the Web Configurator 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. Figure 8 HOME Screen As illustrated above, the main screen is divided into these parts: •...
Page 61: Main Window
2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE >...
Page 62: Table 3 Web Configurator Home Screen In Router Mode
Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. Table 3 Web Configurator HOME Screen in Router Mode LABEL DESCRIPTION Automatic Refresh Select a number of seconds or None from the drop-down list box to update all Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 63 Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Interfaces This is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface’s label to display the interface’s MAC address. Click an interface’s label to go to the screen where you can configure settings for that interface.
Page 64 Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION 3G Connection This displays Down when the 3G connection is down or not activated. Status This displays Initializing when the ZyWALL is configuring the 3G card with AT commands.
Page 65 Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION 3G Card ESN This field is available only when you insert a CDMA (Code Division Multiple Access) 3G card. This shows the ESN (Electronic Serial Number) of the inserted CDMA 3G card. The ESN is the serial number of a CDMA 3G card and is similar to the IMEI on a GSM or UMTS 3G card.
Page 66 Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Remaining Data This field is available only when you enable budget control in the Network > Budget WAN > 3G (WAN 2) screen. This shows how much data (in bytes) can still be transmitted through the 3G connection before the ZyWALL takes the actions you specified in the 3G (WAN 2) screen.
Page 67: Home Screen: Bridge Mode
2.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets.
Page 68 Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Name This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
Page 69 Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Rapid Spanning This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The Tree Protocol following labels or values relative to RSTP do not apply when RSTP is disabled. Bridge Priority This is the bridge priority of the ZyWALL.
Page 70: Navigation Panel
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Port Statistics Click Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port. Click VPN to display the active VPN connections.
Page 71: Table 6 Screens Summary
Table 5 Bridge and Router Mode Features Comparison FEATURE Logs Maintenance Table Key: A Y in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 72 Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK WIRELESS 3G (WAN 2) 3G (WAN 2) Wi-Fi Wireless Card Security MAC Filter SECURITY FIREWALL Default Rule Rule Summary This screen shows a summary of the firewall rules, and allows you Anti-Probing Threshold Service...
Page 73 Table 6 Screens Summary (continued) LINK NAT Overview Address Mapping Port Forwarding Port Triggering STATIC ROUTE IP Static Route Use this screen to configure IP static routes. POLICY ROUTE Policy Route Summary BW MGMT Summary Class Setup Monitor System Cache DHCP DDNS REMOTE...
Page 74: Port Statistics
Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK LOGS View Log Log Settings Reports MAINTENANCE General Password Time and Date Use this screen to change your ZyWALL’s time and date. Device Mode F/W Upload Backup & Restore Restart Diagnostics...
Page 75: Show Statistics: Line Chart
The following table describes the labels in this screen. Table 7 HOME > Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics in router mode. Port These are the ZyWALL’s interfaces. Status For the WAN interface(s) and the Dial Backup port, this displays the port speed and duplex setting if you’re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE...
Page 76: Dhcp Table Screen
Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. Table 8 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s).
Page 77: Vpn Status
Table 9 HOME > DHCP Table (continued) LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory.
Page 78: Bandwidth Monitor
Chapter 2 Introducing the Web Configurator Table 10 HOME > VPN Status LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Automatic Select a number of seconds or None from the drop-down list box to update all Refresh Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 79 Table 11 ADVANCED > BW MGMT > Monitor LABEL Automatic Refresh Interval Refresh A. If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 2WG User’s Guide Chapter 2 Introducing the Web Configurator DESCRIPTION...
Page 80 Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide...
Page 81: Wizard Setup
H A P T E R This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Page 82: Isp Parameters
Chapter 3 Wizard Setup 3.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 3.2.1.1 Ethernet For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets.
Page 83: Figure 18 Isp Parameters: Pppoe Encapsulation
Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION My WAN IP Enter your WAN IP address in this field. Address My WAN IP Enter the IP subnet mask in this field. Subnet Mask Gateway IP Enter the gateway IP address in this field. Address First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right.
Page 84: Table 13 Isp Parameters: Pppoe Encapsulation
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 13 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider.
Page 85: Figure 19 Isp Parameters: Pptp Encapsulation
Figure 19 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 86: Internet Access Wizard: Second Screen
Chapter 3 Wizard Setup Table 14 ISP Parameters: PPTP Encapsulation LABEL My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Connection ID/ Name WAN IP Address Assignment IP Address Assignment My WAN IP Address First DNS Server...
Page 87: Internet Access Wizard: Registration
Figure 21 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, anti- spam, anti-virus and IDP.
Page 88: Figure 22 Internet Access Wizard: Registration
Chapter 3 Wizard Setup Figure 22 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 15 Internet Access Wizard: Registration LABEL Device Registration New myZyXEL.com account Existing myZyXEL.com account User Name Check Password Confirm Password E-Mail Address Country Back...
Page 89: Internet Access Wizard: Status
Figure 23 Internet Access Wizard: Registration in Progress 3.2.4 Internet Access Wizard: Status This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done. Figure 24 Internet Access Wizard: Status The following screen appears if the registration was not successful.
Page 90: Internet Access Wizard: Service Activation
Chapter 3 Wizard Setup 3.2.5 Internet Access Wizard: Service Activation If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. Figure 26 Internet Access Wizard: Registered Device Figure 27 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at...
Page 91: Figure 28 Vpn Wizard: Gateway Setting
Figure 28 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 92: Vpn Wizard Network Setting
Chapter 3 Wizard Setup 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 93: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Starting IP When the Local Network field is configured to Single, enter a (static) IP address on Address the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 94: Figure 30 Vpn Wizard: Ike Tunnel Setting
Chapter 3 Wizard Setup Figure 30 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IKE Tunnel Setting LABEL Negotiation Mode Encryption Algorithm Authentication Algorithm Key Group SA Life Time (Seconds) DESCRIPTION Select Main Mode for identity protection.
Page 95: Vpn Wizard Ipsec Setting (Ike Phase 2)
Table 18 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Page 96: Vpn Wizard Status Summary
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Wizard: IPSec Setting LABEL Encapsulation Mode IPSec Protocol Encryption Algorithm When DES is used for data communications, both sender and receiver must Authentication Algorithm SA Life Time (Seconds) Perfect Forward...
Page 97: Figure 32 Vpn Wizard: Vpn Status
Figure 32 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 20 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL’s IP address in bridge mode.
Page 98 Chapter 3 Wizard Setup Table 20 VPN Wizard: VPN Status (continued) LABEL Network Policy Setting Local Network Starting IP Address Ending IP Address/ Subnet Mask Remote Network Starting IP Address Ending IP Address/ Subnet Mask IKE Tunnel Setting (IKE Phase 1) Negotiation Mode Encryption Algorithm...
Page 99: Vpn Wizard Setup Complete
3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 33 VPN Wizard Setup Complete ZyWALL 2WG User’s Guide Chapter 3 Wizard Setup...
Page 100 Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide...
Page 101: Tutorial
H A P T E R This chapter describes how to apply security settings to VPN traffic, how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP and how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL’s WAN port.
Page 102: Configuring The Vpn Rule
Chapter 4 Tutorial Figure 34 Firewall Rule for VPN 4.1.2 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
Page 103: Figure 36 Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy
Chapter 4 Tutorial Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL 2WG User’s Guide...
Page 104: Figure 37 Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example
Chapter 4 Tutorial Figure 37 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
Page 105: Configuring The Firewall Rules
Figure 38 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.1.3 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
Page 106: Figure 39 Security > Firewall > Rule Summary
Chapter 4 Tutorial 4.1.3.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Refresh. 3 Click the insert icon.
Page 107: Figure 40 Security > Firewall > Rule Summary > Edit: Allow
Chapter 4 Tutorial Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 2WG User’s Guide...
Page 108: Figure 41 Security > Firewall > Rule Summary: Allow
Chapter 4 Tutorial Figure 41 SECURITY > FIREWALL > Rule Summary: Allow 4.1.3.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
Page 109: Using Nat With Multiple Public Ip Addresses
4.2 Using NAT with Multiple Public IP Addresses This section shows you examples of how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP. 4.2.1 Example Parameters and Scenario The following table shows the public IP addresses from your ISP and your ZyWALL’s LAN IP address.
Page 110: Configuring The Wan Connection With A Static Ip Address
Chapter 4 Tutorial 4.2.2 Configuring the WAN Connection with a Static IP Address The following table shows the information your ISP gave you for Internet connection. Encapsulation Public IP Addresses Gateway IP Address Subnet Mask User Name Password DNS Server Follow the steps below to configure your ZyWALL for Internet access using PPPoE in this example.
Page 111: Figure 45 Tutorial Example: Wan 1 Screen
Figure 45 Tutorial Example: WAN 1 Screen 6 Click ADVANCED > DNS. 7 The System screen displays. Click the Insert button to configure the IP address of the DNS server the ZyWALL can query to resolve domain names. Figure 46 Tutorial Example: DNS > System 8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP.
Page 112: Figure 47 Tutorial Example: Dns > System Edit-1
Chapter 4 Tutorial Figure 47 Tutorial Example: DNS > System Edit-1 9 Enter the rule number (2) where you want to put the second record and click the Insert button to configure the second DNS server’s IP address as follows. Click Apply. To resolve a domain name, theZyWALL checks it against the name server record entries in the order that they appear in this list.
Page 113: Public Ip Address Mapping
Figure 49 Tutorial Example: DNS > System: Done 11 Go to the Home screen to check your WAN connection status. Make sure the status is not down. Figure 50 Tutorial Example: Status 4.2.3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them.
Page 114: Figure 51 Tutorial Example: Mapping Multiple Public Ip Addresses To Inside Servers
Chapter 4 Tutorial The one-to-one NAT address mapping rules are for both incoming and outgoing connections. The ZyWALL forwards traffic that is initiated from either the LAN or the WAN to the destination IP address. The many-to-one or many-to-many NAT address mapping rules are for outgoing connections only.
Page 115: Figure 52 Tutorial Example: Nat > Nat Overview
Chapter 4 Tutorial Figure 52 Tutorial Example: NAT > NAT Overview 3 Click the Address Mapping tab. 4 Select WAN 1. 5 Click the first rule’s Edit icon ( ) in the Modify column to display the Address Mapping Rule screen. ZyWALL 2WG User’s Guide...
Page 116: Figure 53 Tutorial Example: Nat > Address Mapping
Chapter 4 Tutorial Figure 53 Tutorial Example: NAT > Address Mapping 6 Map a public IP address to the web server. Select the One-to-One type and enter 192.168.1.12 as the local start IP address and 1.2.3.5 as the global start IP address. Click Apply. Figure 54 Tutorial Example: NAT Address Mapping Edit: One-to-One (1) 7 Click the second rule’s Edit icon ( 8 Map a public IP address to the mail server.
Page 117: Figure 55 Tutorial Example: Nat Address Mapping Edit: One-To-One (2)
Figure 55 Tutorial Example: NAT Address Mapping Edit: One-to-One (2) 9 Click the third rule’s Edit icon ( 10 Map a public IP address to other outgoing LAN traffic. Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address.
Page 118: Forwarding Traffic From The Wan To A Local Computer
Chapter 4 Tutorial Figure 57 Tutorial Example: NAT Address Mapping Done To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to information. 4.2.4 Forwarding Traffic from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be accessible to the outside world.
Page 119: Figure 58 Tutorial Example: Forwarding Incoming Ftp Traffic To A Local Computer
Figure 58 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 1 Click ADVANCED > NAT > Address Mapping. 2 Click the forth rule’s Edit icon ( Figure 59 Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select WAN 1.
Page 120: Allow Wan-To-Lan Traffic Through The Firewall
Chapter 4 Tutorial Figure 60 Tutorial Example: NAT Port Forwarding 4.2.5 Allow WAN-to-LAN Traffic through the Firewall By default, the ZyWALL blocks any traffic initiated from the WAN to the LAN. To have the ZyWALL forward traffic initiated from WAN 1 to a local computer or server on the LAN, you need to configure a firewall rule to allow it.
Page 121: Figure 62 Tutorial Example: Firewall Default Rule
Figure 62 Tutorial Example: Firewall Default Rule 3 Go to the Rule Summary screen. 4 Select WAN1 to LAN as the packet direction and click Refresh. 5 Click the insert icon to create a new firewall rule. Figure 63 Tutorial Example: Firewall Rule: WAN1 to LAN 6 Configure a firewall rule to allow HTTP traffic from the WAN to the web server.
Page 122: Figure 64 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Web Server
Chapter 4 Tutorial Enter a descriptive name (W-L_Web for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.12 and click Add. Figure 64 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server 7 Select HTTP(TCP:80) and HTTPS(TCP:443) in the Available Services box on the left, and click >>...
Page 123: Figure 65 Tutorial Example: Firewall Rule: Wan To Lan Service Edit For Web Server
Chapter 4 Tutorial Figure 65 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server 8 Click the insert icon to configure a firewall rule to allow traffic from the WAN to the mail server. Enter a descriptive name (W-L_Mail for example). Select Any in the Destination Address(es) box and click Delete.
Page 124: Figure 66 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Mail Server
Chapter 4 Tutorial Figure 66 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server 9 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server ZyWALL 2WG User’s Guide...
Page 125: Figure 68 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Ftp Server
10Click the insert icon to configure a firewall rule to allow FTP traffic from the WAN to the FTP server. Enter a descriptive name (W-L_FTP for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.39 and click Add. Figure 68 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server 11Select FTP(TCP:20,21) in the Available Services box on the left, and click >>...
Page 126: Figure 69 Tutorial Example: Firewall Rule: Wan To Lan Service Edit For Ftp Server
Chapter 4 Tutorial Figure 69 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server 12When you are done, the Rule Summary screen looks as shown. Figure 70 Tutorial Example: Firewall Rule Summary ZyWALL 2WG User’s Guide...
Page 127: Testing The Connections
4.2.6 Testing the Connections 1 Open the web browser on one of the local computers and enter any web site’s URL in the address bar. If you can access the web site, your WAN 1 connection and NAT address mapping are configured successfully. If you cannot access it, make sure you entered the correct information in the WAN and NAT Address Mapping screens.
Page 128: How To Manage The Zywall's Bandwidth
Chapter 4 Tutorial Figure 71 Tutorial Example: NAT Address Mapping Done: Game Playing To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to information. 4.4 How to Manage the ZyWALL’s Bandwidth This section shows you examples of how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL’s WAN port.
Page 129: Configuring Bandwidth Management Rules
Figure 72 Tutorial Example: Bandwidth Management The following table shows the example information you configure in the bandwidth management screens. Total Bandwidth Budget (WAN Upstream Speed) Bandwidth for VoIP Traffic Priority for VoIP Traffic Bandwidth for FTP Traffic Priority for FTP Traffic Bandwidth for WWW Traffic Priority for WWW Traffic 4.4.2 Configuring Bandwidth Management Rules...
Page 130: Figure 73 Tutorial Example: Bandwidth Management Summary
Chapter 4 Tutorial Figure 73 Tutorial Example: Bandwidth Management Summary 7 Click the Class Setup tab. 8 Select the WAN1 interface and click the Add Sub-Class button to create a rule for VoIP traffic. Figure 74 Tutorial Example: Bandwidth Management Class Setup 9 Enter a descriptive name (“WAN1_VoIP”...
Page 131: Figure 75 Tutorial Example: Bandwidth Management Class Setup: Voip
Figure 75 Tutorial Example: Bandwidth Management Class Setup: VoIP 12Click the Add Sub-Class button to create a rule for FTP traffic as follows. Click Apply. Figure 76 Tutorial Example: Bandwidth Management Class Setup: FTP 13Click the Add Sub-Class button to create a rule for WWW traffic as follows. Click Apply.
Page 132: Figure 77 Tutorial Example: Bandwidth Management Class Setup: Www
Chapter 4 Tutorial Figure 77 Tutorial Example: Bandwidth Management Class Setup: WWW 14When you are finished, the Class Setup screen looks as shown. Figure 78 Tutorial Example: Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface.
Page 133: Configuring Content Filtering
Figure 79 Tutorial Example: Bandwidth Management Monitor 4.5 Configuring Content Filtering You can use the ZyWALL’s content filtering policies to apply specific content filtering settings to specific users. You can even filter certain things at certain times. For example, you decide to set the default policy to block access to several categories of web content including things like pornography, hacking, nudity, and arts and entertainment, and so on.
Page 134: Block Categories Of Web Content
Chapter 4 Tutorial 1 Click SECURITY > CONTENT FILTER. 2 Enable the content filter and external database content filtering. 3 Click Apply. Figure 80 SECURITY > CONTENT FILTER > General 4.5.2 Block Categories of Web Content Here is how to block access to web pages by category of content. 1 Click SECURITY >...
Page 135: Figure 81 Security > Content Filter > Policy
Figure 81 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Select the categories to block. 4 Click Apply. Figure 82 SECURITY > CONTENT FILTER > Policy > External Database (Default) ZyWALL 2WG User’s Guide Chapter 4 Tutorial...
Page 136: Assign Bob's Computer A Specific Ip Address
Chapter 4 Tutorial 4.5.3 Assign Bob’s Computer a Specific IP Address You will configure a content filtering policy for traffic from Bob’s computer’s IP address. Do the following to have the ZyWALL always give Bob’s computer the same IP address (192.168.1.33 in this example).
Page 137: Set The Content Filter Schedule
5 Click Apply. Figure 85 SECURITY > CONTENT FILTER > Policy > Insert 4.5.5 Set the Content Filter Schedule You want to let Bob access arts and entertainment web pages, but only during lunch. So you configure a schedule to only apply the Bob policy from 12:00 to 13:00. For the rest of the time, the ZyWALL applies the default content filter policy (which blocks access to arts and entertainment web pages).
Page 138: Block Categories Of Web Content For Bob
Chapter 4 Tutorial 4 Click Apply. Figure 87 SECURITY > CONTENT FILTER > Policy > Schedule (Bob) 4.5.6 Block Categories of Web Content for Bob Now you select the categories of web pages to block Bob from accessing. 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy’s external database icon.
Page 139: Figure 88 Security > Content Filter > Policy
Figure 88 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Select the categories to block. This is very similar to you do not select the arts and entertainment category. 4 Click Apply. Figure 89 SECURITY > CONTENT FILTER > Policy > External Database (Bob) ZyWALL 2WG User’s Guide Chapter 4 Tutorial Section 4.5.2 on page...
Page 140 Chapter 4 Tutorial ZyWALL 2WG User’s Guide...
Page 141: Registration
H A P T E R 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 142: Registration
Chapter 5 Registration 5.2 Registration To register your ZyWALL with myZyXEL.com and activate the content filtering service, click REGISTRATION in the navigation panel to open the screen as shown next. Figure 90 REGISTRATION The following table describes the labels in this screen. Table 21 REGISTRATION LABEL Device Registration...
Page 143: Service
Table 21 REGISTRATION LABEL Apply Reset If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 91 REGISTRATION: Registered Device 5.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’s PIN number (license key).
Page 144: Figure 92 Registration > Service
Chapter 5 Registration Figure 92 REGISTRATION > Service The following table describes the labels in this screen. Table 22 REGISTRATION > Service LABEL Service Management Service Status Registration Type Expiration Day License Upgrade License Key Service License Refresh DESCRIPTION This field displays the service name available on the ZyWALL. This field displays whether a service is activated (Active) or not (Inactive).
Page 145: Network And Wireless
Network and Wireless LAN Screens (147) Bridge Screens (159) WAN Screens (165) DMZ Screens (201) Wireless LAN (211)
Page 147: Lan Screens
H A P T E R This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 6.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
Page 148: Private Ip Addresses
Chapter 6 LAN Screens Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 149: Dhcp
6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Page 150: Wins
Chapter 6 LAN Screens 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 151: Figure 94 Network > Lan
Figure 94 NETWORK > LAN The following table describes the labels in this screen. Table 23 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 152 Chapter 6 LAN Screens Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 153: Lan Static Dhcp
Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN 2 and LAN and WAN2 from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.
Page 154: Lan Ip Alias
Chapter 6 LAN Screens Figure 95 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 24 NETWORK > LAN > Static DHCP LABEL MAC Address IP Address Apply Reset 6.9 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 155: Figure 96 Physical Network & Partitioned Logical Networks
Chapter 6 LAN Screens The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 156: Lan Port Roles
Chapter 6 LAN Screens The following table describes the labels in this screen. Table 25 NETWORK > LAN > IP Alias LABEL Enable IP Alias 1, IP Address IP Subnet Mask RIP Direction RIP Version Apply Reset 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface.
Page 157: Figure 98 Network > Lan > Port Roles
Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens. Figure 98 NETWORK > LAN > Port Roles The following table describes the labels in this screen. Table 26 NETWORK > LAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN.
Page 158 Chapter 6 LAN Screens ZyWALL 2WG User’s Guide...
Page 159: Bridge Screens
H A P T E R This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
Page 160: Spanning Tree Protocol (Stp)
Chapter 7 Bridge Screens 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Page 161: Stp Port States
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Page 162: Figure 101 Network > Bridge
Chapter 7 Bridge Screens Figure 101 NETWORK > Bridge The following table describes the labels in this screen. Table 29 NETWORK > Bridge LABEL Bridge IP Address Setup IP Address IP Subnet Mask Gateway IP Address First/Second/Third DNS Server Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Tree Protocol...
Page 163: Bridge Port Roles
Table 29 NETWORK > Bridge (continued) LABEL Bridge Priority Bridge Hello Time Bridge Max Age Forward Delay Bridge Port RSTP Active RSTP Priority 0(Highest)~240(Lowest) RSTP Path Cost 1(Lowest)~65535(Highe Apply Reset 7.4 Bridge Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.
Page 164: Figure 102 Network > Bridge > Port Roles
Chapter 7 Bridge Screens Figure 102 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 30 NETWORK > Bridge > Port Roles LABEL WLAN Apply Reset After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears.
Page 165: Wan Screens
H A P T E R This chapter describes how to configure WAN settings. WAN 2 refers to the 3G card on the supported ZyWALL in router mode. 8.1 WAN Overview • Use the WAN General screen to configure load balancing, route priority and connection test for the ZyWALL.
Page 166: Load Balancing Introduction
Chapter 8 WAN Screens The ZyWALL's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 23 on page The ZyWALL's DDNS lets you select which WAN interface you want to use for each...
Page 167: Weighted Round Robin
Figure 104 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below. Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2.
Page 168: Spillover
Chapter 8 WAN Screens This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively.
Page 169: Wan Interface To Local Host Mapping Timeout
8.5 WAN Interface to Local Host Mapping Timeout You can set the ZyWALL to send all of a local computer’s traffic through the same WAN interface. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Page 170: Tcp/Ip Priority (Metric)
Chapter 8 WAN Screens 8.6 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1"...
Page 171: Figure 108 Network > Wan General
Chapter 8 WAN Screens Figure 108 NETWORK > WAN General ZyWALL 2WG User’s Guide...
Page 172: Table 33 Network > Wan General
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 33 NETWORK > WAN General LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Page 173 Table 33 NETWORK > WAN General (continued) LABEL DESCRIPTION Check Fail Type how many WAN connection checks can fail (1-10) before the connection is Tolerance considered "down" (not connected). The ZyWALL still checks a "down" connection to detect if it reconnects. Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity...
Page 174: Configuring Load Balancing
Chapter 8 WAN Screens Table 33 NETWORK > WAN General (continued) LABEL DESCRIPTION Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.8 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK >...
Page 175: Weighted Round Robin
Table 34 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Time Frame You can set the ZyWALL to get the measured bandwidth using the average bandwidth in the specified time interval. Enter the time interval between 10 and 600 seconds. Load Balancing Specify the direction of the traffic utilization you want the ZyWALL to use in Index(es)
Page 176: Spillover
Chapter 8 WAN Screens Table 35 Load Balancing: Weighted Round Robin (continued) LABEL DESCRIPTION Interface This field displays the name of the WAN interface (WAN 1 and WAN 2). Ratio Specify the weight for the interface. Enter 0 to set the ZyWALL not to send traffic load to the interface.
Page 177: Wan Ip Address Assignment
8.9 WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.
Page 178: Wan Mac Address
Chapter 8 WAN Screens 8.11 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
Page 179: Figure 112 Network > Wan > Wan 1 (Ethernet Encapsulation)
Figure 112 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) The following table describes the labels in this screen. Table 38 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 180 Chapter 8 WAN Screens Table 38 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Login Server Type the domain name of the Telia login server, for example login1.telia.com. (Telia Login only) Relogin The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Every(min) Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait (Telia Login only)
Page 181: Pppoe Encapsulation
Table 38 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Page 182: Figure 113 Network > Wan > Wan 1 (Pppoe Encapsulation)
Chapter 8 WAN Screens Figure 113 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) The following table describes the labels in this screen. Table 39 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE.
Page 183 Table 39 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 184: Pptp Encapsulation
Chapter 8 WAN Screens Table 39 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Page 185: Figure 114 Network > Wan > Wan 1 (Pptp Encapsulation)
Figure 114 NETWORK > WAN > WAN 1 (PPTP Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN 1 (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Set the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time.
Page 186 Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued) LABEL Authentication Type Nailed-up Idle Timeout PPTP Configuration My IP Address My IP Subnet Mask Server IP Address Connection ID/ Name WAN IP Address Assignment Get automatically from ISP Use Fixed IP...
Page 187: Wan 2 (3G Wan)
Table 40 NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 188: Table 41 2G, 2.5G, 2.75G, 3G And 3.5G Wireless Technologies
Chapter 8 WAN Screens The actual data rate you obtain varies depending on the 3G card you use, the signal strength of the service provider’s base station, your service plan, etc. If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network.
Page 189 Chapter 8 WAN Screens Turn the ZyWALL off before you install or remove the 3G card. The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. ZyWALL 2WG User’s Guide...
Page 190: Figure 115 Network > Wan > Wan 2 (3G Wan)
Chapter 8 WAN Screens Figure 115 NETWORK > WAN > WAN 2 (3G WAN) The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN 2 (3G WAN) LABEL DESCRIPTION WAN2 Setup Enable Select this option to enable WAN 2. 3G Card The fields below display only when you enable WAN 2.
Page 191 Table 42 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION 3G Wireless Card This displays the manufacturer and model name of your 3G card if you inserted one in the ZyWALL. Otherwise, it displays Not Installed. Network Type Select the type of the network (UMTS/HSDPA only, GPRS/EDGE only, GSM all or WCDMA all) to which you want the card to connect.
Page 192 Chapter 8 WAN Screens Table 42 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION Phone Number Enter the phone number (dial string) used to dial up a connection to your service provider’s base station. Your ISP should provide the dial string. By default, *99# is the dial string for GSM-based networks and #777 is the dial string for CDMA-based networks.
Page 193: Traffic Redirect
Table 42 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION Reset time and This button is available only when you enable budget control in this screen. data budget Click this button to reset the time and data budgets immediately. The count starts counters over with the 3G connection’s full configured monthly time and data budgets.
Page 194: Configuring Traffic Redirect
Chapter 8 WAN Screens IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Page 195: Configuring Dial Backup
8.16 Configuring Dial Backup Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. Figure 119 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 44 NETWORK >...
Page 196 Chapter 8 WAN Screens Table 44 NETWORK > WAN > Dial Backup (continued) LABEL Login Name Password Retype to Confirm Authentication Type Primary/ Secondary Phone Number Dial Backup Port Speed AT Command Initial String Advanced Modem Setup TCP/IP Options Get IP Address Automatically from Remote Server Used Fixed IP...
Page 197: Advanced Modem Setup
Table 44 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically.
Page 198: Dtr Signal
Chapter 8 WAN Screens 8.17.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.
Page 199: Table 45 Network > Wan > Dial Backup > Edit
The following table describes the labels in this screen. Table 45 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 200 Chapter 8 WAN Screens ZyWALL 2WG User’s Guide...
Page 201: Dmz Screens
H A P T E R This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 202: Figure 121 Network > Dmz
Chapter 9 DMZ Screens Figure 121 NETWORK > DMZ The following table describes the labels in this screen. Table 46 NETWORK > DMZ LABEL DMZ TCP/IP IP Address IP Subnet Mask RIP Direction DESCRIPTION Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 203 Table 46 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 204: Dmz Static Dhcp
Chapter 9 DMZ Screens Table 46 NETWORK > DMZ (continued) LABEL Allow between DMZ and WAN 2 Allow between DMZ and WLAN Apply Reset 9.3 DMZ Static DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses.
Page 205: Dmz Ip Alias
Figure 122 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 47 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
Page 206: Figure 123 Network > Dmz > Ip Alias
Chapter 9 DMZ Screens The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 207: Dmz Public Ip Address Example
Table 48 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers.
Page 208: Dmz Private And Public Ip Address Example
Chapter 9 DMZ Screens Figure 124 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
Page 209: Dmz Port Roles
Figure 125 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface. Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in...
Page 210: Figure 126 Network > Dmz > Port Roles
Chapter 9 DMZ Screens Figure 126 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 49 NETWORK > DMZ > Port Roles LABEL WLAN Apply Reset DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Page 211: Wireless Lan
H A P T E R This chapter discusses how to configure wireless LAN on the ZyWALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
Page 212: Configuring Wlan
Chapter 10 Wireless LAN • Every wireless client in the same wireless network must use the same SSID. The SSID is the name of the wireless network. It stands for Service Set IDentity. • If two wireless networks overlap, they should use different channels. Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information.
Page 213: Figure 128 Network > Wlan
Figure 128 NETWORK > WLAN The following table describes the labels in this screen. Table 50 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. Note: Make sure the IP addresses of the LAN, WAN, WLAN and IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 214 Chapter 10 Wireless LAN Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 215: Wlan Static Dhcp
Table 50 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN 2 and WLAN and WAN from WAN 2 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN 2 and from WAN 2 to the WLAN.
Page 216: Wlan Ip Alias
Chapter 10 Wireless LAN Figure 129 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 51 NETWORK > WLAN > Static DHCP LABEL MAC Address IP Address Apply Reset 10.4 WLAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 217: Figure 130 Network > Wlan > Ip Alias
The ZyWALL has a single WLAN interface. Even though more than one of ports 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address. The ZyWALL supports three logical WLAN interfaces via its single physical WLAN Ethernet interface.
Page 218: Wlan Port Roles
Chapter 10 Wireless LAN Table 52 NETWORK > WLAN > IP Alias (continued) LABEL RIP Direction RIP Version Apply Reset 10.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.
Page 219: Figure 131 Wlan Port Role Example
Figure 131 WLAN Port Role Example Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Page 220: Wireless Security Overview
Chapter 10 Wireless LAN Figure 132 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. Table 53 NETWORK > WLAN > Port Roles LABEL WLAN Apply Reset After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears.
Page 221: Ssid
10.6.1 SSID Normally, the AP acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the AP does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess. This type of security is fairly weak, however, because there are ways for unauthorized devices to get the SSID.
Page 222: Encryption
Chapter 10 Wireless LAN Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.
Page 223: Additional Installation Requirements For Using 802.1X
It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database. In this case, it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database. If some wireless clients support WPA and some support WPA2, you should set up WPA2- PSK-Mix or WPA2-Mix (depending on the type of wireless network login) in the ZyWALL.
Page 224: Figure 134 Wireless > Wi-Fi > Wireless Card
Chapter 10 Wireless LAN Figure 134 WIRELESS > Wi-Fi > Wireless Card The following table describes the labels in this screen. Table 55 WIRELESS > Wi-Fi > Wireless Card LABEL DESCRIPTION Enable The wireless LAN through a wireless LAN card is turned off by default, before you Wireless Card enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security;...
Page 225 Table 55 WIRELESS > Wi-Fi > Wireless Card (continued) LABEL DESCRIPTION 802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyWALL. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyWALL.
Page 226: Ssid Profile
Chapter 10 Wireless LAN Table 55 WIRELESS > Wi-Fi > Wireless Card (continued) LABEL DESCRIPTION SSID This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.
Page 227: Configuring Wireless Security
The following table describes the labels in this screen. Table 56 Configuring SSID LABEL Name SSID Hide SSID Security RADIUS Enable MAC Filtering Apply Cancel 10.8 Configuring Wireless Security Click WIRELESS > Wi-Fi > Security to open the Security screen. Use this screen to create security profiles.
Page 228: No Security
Chapter 10 Wireless LAN Table 57 Security Modes SECURITY MODE WPA2-MIX WPA2-PSK WPA2-PSK-MIX Figure 136 WIRELESS > Wi-Fi > Security The following table describes the labels in this screen. Table 58 WIRELESS > Wi-Fi > Security LABEL DESCRIPTION Security Profile Index This is the index number of the security profile.
Page 229: Static Wep
Figure 137 WIRELESS > Wi-Fi > Security: None The following table describes the wireless LAN security labels in this screen. Table 59 WIRELESS > Wi-Fi > Security: None LABEL DESCRIPTION Name Type a name (up to 32 printable 7-bit ASCII characters) to identify this security profile. Security Mode Select None to allow wireless clients to communicate with the access points without any data encryption.
Page 230: Ieee 802.1X Only
Chapter 10 Wireless LAN The following table describes the labels in this screen. Table 60 WIRELESS > Wi-Fi > Security: WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WEP from the drop-down list. WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized Encryption wireless stations from accessing data transmitted over the wireless network.
Page 231: Ieee 802.1X + Static Wep
Table 61 WIRELESS > Wi-Fi > Security: 802.1x Only (continued) LABEL DESCRIPTION ReAuthentication Specify how often wireless clients have to resend user names and passwords in Timer order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Page 232: Wpa, Wpa2, Wpa2-Mix
Chapter 10 Wireless LAN Table 62 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP (continued) LABEL DESCRIPTION Key 1 to Key 4 If you chose 8021X-Static64 in the Security Mode field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Page 233: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
The following table describes the labels in this screen. Table 63 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WPA, WPA2 or WPA2-MIX from the drop-down list. ReAuthentication Specify how often wireless clients have to resend user names and passwords in Timer...
Page 234: Figure 142 Wireless > Wi-Fi > Security: Wpa(2)-Psk
Chapter 10 Wireless LAN Figure 142 WIRELESS > Wi-Fi > Security: WPA(2)-PSK The following table describes the labels in this screen. Table 64 WIRELESS > Wi-Fi > Security: WPA(2)-PSK LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX from the drop-down list.
Page 235: Mac Filter
10.9 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyWALL (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 236 Chapter 10 Wireless LAN Table 65 WIRELESS > Wi-Fi > MAC Filter LABEL DESCRIPTION Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that Address are allowed or denied access to the ZyWALL in these address fields. Apply Click Apply to save your changes back to the ZyWALL.
Page 237: Security
Security Firewall (239) Content Filtering Screens (271) Content Filtering Reports (293) IPSec VPN (301) Certificates (349) Authentication Server (379)
Page 239: Firewall
H A P T E R This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.
Page 240: Packet Direction Matrix
Chapter 11 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Page 241: Figure 146 Default Block Traffic From Wan1 To Dmz Example
Packets have a source and a destination. The packet direction matrix in the lower part of the screen sets what the ZyWALL does with packets traveling in a specific direction that do not match any of the firewall rules. From A specific interface or any of the ZyWALL’s VPN connections To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ...
Page 242: Packet Direction Examples
Chapter 11 Firewall 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply. This section gives some examples of why you might configure firewall rules for specific connection directions. By default, the ZyWALL allows packets traveling in the following directions.: •...
Page 243: To Vpn Packet Direction
• WAN to WAN Chapter 4 on page 101 11.3.1 To VPN Packet Direction The ZyWALL can apply firewall rules to traffic before encrypting it to send through a VPN tunnel. To VPN means traffic that comes in through the selected “from” interface and goes out through any of the ZyWALL’s VPN tunnels.
Page 244: From Vpn Packet Direction
Chapter 11 Firewall In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 148 Block DMZ to VPN Traffic by Default Example 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules.
Page 245: Figure 149 From Vpn To Lan Example
Chapter 11 Firewall Figure 149 From VPN to LAN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. ZyWALL 2WG User’s Guide...
Page 246: From Vpn To Vpn Packet Direction
Chapter 11 Firewall Figure 150 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 14.20 on page 344 firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL.
Page 247: Figure 151 From Vpn To Vpn Example
Chapter 11 Firewall Figure 151 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 152 Block VPN to VPN Traffic by Default Example ZyWALL 2WG User’s Guide...
Page 248: Security Considerations
Chapter 11 Firewall 11.4 Security Considerations Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
Page 249: Figure 154 Limited Lan To Wan Irc Traffic Example
Your firewall would have the following configuration. Table 66 Blocking All LAN to WAN IRC Traffic Example SOURCE Default • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN.
Page 250: Asymmetrical Routes
Chapter 11 Firewall • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN.
Page 251: Firewall Default Rule (Router Mode)
Figure 155 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 156 SECURITY >...
Page 252: Table 68 Security > Firewall > Default Rule (Router Mode)
Chapter 11 Firewall The following table describes the labels in this screen. Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’s firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary firewall rules before adding more firewall rules.
Page 253: Firewall Default Rule (Bridge Mode)
Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION From, To The firewall rules are grouped by the direction of packet travel. This displays the number of rules for each packet direction. Click the edit icon to go to a summary screen of the rules for that packet direction.
Page 254: Figure 157 Security > Firewall > Default Rule (Bridge Mode)
Chapter 11 Firewall Figure 157 SECURITY > FIREWALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’s firewall rules storage space that is currently in use.
Page 255: Firewall Rule Summary
Table 69 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION From, To The firewall rules are grouped by the direction of packet travel. This displays the number of rules for each packet direction. Click the edit icon to go to a summary screen of the rules for that packet direction.
Page 256: Figure 158 Security > Firewall > Rule Summary
Chapter 11 Firewall The ordering of your rules is very important as rules are applied in the order that they are listed. Section 11.1 on page 239 Figure 158 SECURITY > FIREWALL > Rule Summary The following table describes the labels in this screen. Table 70 SECURITY >...
Page 257: Firewall Edit Rule
Table 70 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists.
Page 258: Figure 159 Security > Firewall > Rule Summary > Edit
Chapter 11 Firewall Figure 159 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 2WG User’s Guide...
Page 259: Table 71 Security > Firewall > Rule Summary > Edit
The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
Page 260: Anti-Probing
Chapter 11 Firewall Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 261: Firewall Thresholds
The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface.
Page 262: Threshold Values
Chapter 11 Firewall 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
Page 263: Table 73 Security > Firewall > Threshold
The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface (or all VPN tunnels).
Page 264: Service
Chapter 11 Firewall 11.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. Section 11.1 on page 239 Figure 163 SECURITY >...
Page 265: Firewall Edit Custom Service
Table 74 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. Attribute This is the IP port number or ICMP type and code that defines the service. Modify Click the edit icon to go to the screen where you can edit the service.
Page 266: My Service Firewall Rule Example
Chapter 11 Firewall The following table describes the labels in this screen. Table 75 SECURITY > FIREWALL > Service > Add LABEL Service Name IP Protocol Port Range Type/Code Apply Cancel 11.14 My Service Firewall Rule Example The following Internet firewall rule example allows a hypothetical My Service connection from the Internet.
Page 267: Figure 166 My Service Firewall Rule Example: Edit Custom Service
Figure 166 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN1 and LAN from the Packet Direction drop-down list boxes and click Refresh to display existing firewall rules for the selected direction of travel of packets. 4 Click the insert icon at the top of the row to create the new firewall rule before the others.
Page 268: Figure 168 My Service Firewall Rule Example: Rule Edit: Source And Destination Addresses
Chapter 11 Firewall Figure 168 My Service Firewall Rule Example: Rule Edit: Source and Destination Addresses 8 In the Edit Service section, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list boxes and the Rule Summary screen’s Service Type list box.
Page 269: Figure 169 My Service Firewall Rule Example: Edit Rule: Service Configuration
Chapter 11 Firewall Figure 169 My Service Firewall Rule Example: Edit Rule: Service Configuration Rule 1 allows a My Service connection from WAN 1 to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 2WG User’s Guide...
Page 270: Figure 170 My Service Firewall Rule Example: Rule Summary: Completed
Chapter 11 Firewall Figure 170 My Service Firewall Rule Example: Rule Summary: Completed ZyWALL 2WG User’s Guide...
Page 271: Content Filtering Screens
H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 12.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following: 12.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
Page 272: Content Filter General Screen
Chapter 12 Content Filtering Screens Figure 171 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 273: Figure 172 Security > Content Filter > General
Figure 172 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 76 SECURITY > CONTENT FILTER > General LABEL General Setup Enable Content Filter Enable Content Filter for VPN traffic External Database Service General Setup Enable External Database Content Filtering...
Page 274 Chapter 12 Content Filtering Screens Table 76 SECURITY > CONTENT FILTER > General LABEL Matched Web Pages Unrated Web Pages When Content Filter Server Is Unavailable Content Filter Server Unavailable Timeout Enable Report Service External Database Service License Status DESCRIPTION Select Block to prevent users from accessing web pages that match the categories that you select below.
Page 275: Content Filter Policy
Table 76 SECURITY > CONTENT FILTER > General LABEL License Status Message to display when a site is blocked Denied Access Message Redirect URL Apply Reset 12.4 Content Filter Policy Click SECURITY > CONTENT FILTER > Policy to display the following screen. This screen lists groups of content filtering settings called policies.
Page 276: Figure 173 Security > Content Filter > Policy
Chapter 12 Content Filtering Screens Figure 173 SECURITY > CONTENT FILTER > Policy The following table describes the labels in this screen. Table 77 SECURITY > CONTENT FILTER > Policy LABEL Content Filter Storage Space in Use The following fields summarize the content filter policies you have created. Name Active Group Address...
Page 277: Content Filter Policy: General
Table 77 SECURITY > CONTENT FILTER > Policy (continued) LABEL Insert Move 12.5 Content Filter Policy: General Click SECURITY > CONTENT FILTER > Policy and use the Insert button or a policy’s general icon to display the following screen. Use this screen to restrict web features and edit the source (user) addresses or ranges of addresses to which the content filter policy applies.
Page 278: Content Filter Policy: External Database
Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Policy > General (continued) LABEL Restrict Web Features Block ActiveX Java Applet Cookies Web Proxy Address Setup Address Type Start IP Address End IP Address Subnet Mask Modify Delete Apply Cancel...
Page 279: Figure 175 Security > Content Filter > Policy > External Database
Figure 175 SECURITY > CONTENT FILTER > Policy > External Database The following table describes the labels in this screen. Table 79 SECURITY > CONTENT FILTER > Policy > External Database LABEL Policy Name Active Select Categories Select All Categories Clear All Categories Adult/Mature Content Pornography...
Page 280 Chapter 12 Content Filtering Screens Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Sex Education Intimate Apparel/Swimsuit Nudity Alcohol/Tobacco Illegal/Questionable Gambling Violence/Hate/Racism Weapons Abortion DESCRIPTION Selecting this category excludes pages that provide graphic information (sometimes graphic) on reproduction, sexual development, safe sex practices, sexuality, birth control, and sexual development.
Page 281 Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Hacking Phishing Arts/Entertainment Business/Economy Alternative Spirituality/Occult Selecting this category excludes pages that promote and provide Illegal Drugs Education Cultural/Charitable Organization Financial Services Brokerage/Trading Online Games ZyWALL 2WG User’s Guide Chapter 12 Content Filtering Screens DESCRIPTION Selecting this category excludes pages that distribute, promote, or...
Page 282 Chapter 12 Content Filtering Screens Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Government/Legal Military Political/Activist Groups Health Computers/Internet Search Engines/Portals Spyware/Malware Sources Spyware Effects/Privacy Concerns Job Search/Careers News/Media Personals/Dating DESCRIPTION Selecting this category excludes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services.
Page 283 Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Reference Open Image/Media Search Chat/Instant Messaging Email Blogs/Newsgroups Religion Social Networking Online Storage Remote Access Tools Shopping Auctions Real Estate ZyWALL 2WG User’s Guide Chapter 12 Content Filtering Screens DESCRIPTION Selecting this category excludes pages containing personal, professional, or educational reference, including online dictionaries,...
Page 284 Chapter 12 Content Filtering Screens Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Society/Lifestyle Sexuality/Alternative Lifestyles Restaurants/Dining/Food Sports/Recreation/Hobbies Travel Vehicles Humor/Jokes Software Downloads Pay to Surf Peer-to-Peer Streaming Media/MP3s Proxy Avoidance For Kids Web Advertisements DESCRIPTION Selecting this category excludes pages providing information on matters of daily life.
Page 285: Content Filter Policy: Customization
Table 79 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL Web Hosting Advanced/Basic Test Web Site Attribute Test if Web site is blocked Test Against Local Cache Test Against Internet Server Apply Cancel 12.7 Content Filter Policy: Customization Click SECURITY >...
Page 286: Figure 176 Security > Content Filter > Policy > Customization
Chapter 12 Content Filtering Screens Figure 176 SECURITY > CONTENT FILTER > Policy > Customization The following table describes the labels in this screen. Table 80 SECURITY > CONTENT FILTER > Policy > Customization LABEL Policy Name Web Site List Customization Enable Web site customization Disable all Web traffic...
Page 287: Content Filter Policy: Schedule
Table 80 SECURITY > CONTENT FILTER > Policy > Customization (continued) LABEL Available Trusted Object Trusted Web Sites Available Forbidden Object Forbidden Web Sites Keyword Blocking Block Web sites which contain these keywords. Available Keyword Object Keyword List Apply Cancel 12.8 Content Filter Policy: Schedule Click SECURITY >...
Page 288: Content Filter Object
Chapter 12 Content Filtering Screens Figure 177 SECURITY > CONTENT FILTER > Policy > Schedule The following table describes the labels in this screen. Table 81 SECURITY > CONTENT FILTER > Policy > Schedule LABEL Policy Name Schedule Setup Always Everyday from/to Customization Apply...
Page 289: Figure 178 Security > Content Filter > Object
Use this screen to a list of allowed web site addresses for this policy and a list of blocked web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. To use this screens settings in content filtering, you must use the SECURITY >...
Page 290: Customizing Keyword Blocking Url Checking
Chapter 12 Content Filtering Screens Table 82 SECURITY > CONTENT FILTER > Object (continued) LABEL Delete Forbidden Web Site List Add Forbidden Web Site Forbidden Web Sites Delete Keyword Blocking Add Keyword Keyword List Delete Apply Reset 12.10 Customizing Keyword Blocking URL Checking You can use commands to set how much of a website’s URL the content filter is to check for keyword blocking.
Page 291: Full Path Url Checking
12.10.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the ip urlfilter customize actionFlags 6 [disable | enable] to extend (or not extend) the keyword blocking search to include the URL's full path.
Page 292: Figure 179 Security > Content Filter > Cache
Chapter 12 Content Filtering Screens Figure 179 SECURITY > CONTENT FILTER > Cache The following table describes the labels in this screen. Table 83 SECURITY > CONTENT FILTER > Cache LABEL URL Cache Setup Maximum TTL Apply Reset URL Cache Entry Flush Refresh Category...
Page 293: Content Filtering Reports
H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 141 and activate the subscription services using the REGISTRATION screens. 13.1 Checking Content Filtering Activation After you activate content filtering, you need to wait up to five minutes for content filtering to be turned on.
Page 294: Figure 180 Myzyxel.com: Login
Chapter 13 Content Filtering Reports Figure 180 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see on page 295).
Page 295: Figure 182 Myzyxel.com: Service Management
Figure 182 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 183 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab.
Page 296: Figure 184 Content Filtering Reports Main Screen
Chapter 13 Content Filtering Reports Figure 184 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 185 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 297: Figure 186 Global Report Screen Example
Chapter 13 Content Filtering Reports Figure 186 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 2WG User’s Guide...
Page 298: Web Site Submission
Chapter 13 Content Filtering Reports Figure 187 Requested URLs Example 13.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 299: Figure 188 Web Page Review Process Screen
Chapter 13 Content Filtering Reports Figure 188 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 2WG User’s Guide...
Page 300 Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide...
Page 301: Ipsec Vpn
H A P T E R This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL. 14.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
Page 302: Ike Sa Overview
Chapter 14 IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Page 303: Vpn Rules (Ike)
You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
Page 304: Figure 193 Security > Vpn > Vpn Rules (Ike)
Chapter 14 IPSec VPN Figure 193 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 84 SECURITY > VPN > VPN Rules (IKE) LABEL VPN Rules Gateway Policies My ZyWALL Remote Gateway Network Policies Local Network...
Page 305: Ike Sa Setup
Table 84 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL Recycle Bin 14.3 IKE SA Setup This section provides more details about IKE SAs. 14.3.1 IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA.
Page 306: Figure 195 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
Chapter 14 IPSec VPN Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See DH key groups. 14.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
Page 307: Table 85 Vpn Example: Matching Id Type And Content
The ZyWALL and the remote IPSec router must use the same pre-shared key. Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address.
Page 308 Chapter 14 IPSec VPN • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check each other’s certificates. • The local ID type and ID content come from the certificate. On the ZyWALL, you simply select which certificate to use. •...
Page 309: Additional Ipsec Vpn Topics
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and sends its (unencrypted) identity to the ZyWALL for authentication. Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established.
Page 310: Sa Life Time
Chapter 14 IPSec VPN 14.4.1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: • There is traffic when the SA life time expires •...
Page 311: Encryption And Authentication Algorithms
Figure 198 IPSec High Availability When setting up an IPSec high availability VPN tunnel, the remote IPSec router: • Must have multiple WAN connections • Only needs one corresponding IPSec rule • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections •...
Page 312: Vpn Rules (Ike) Gateway Policy Edit
Chapter 14 IPSec VPN 14.5 VPN Rules (IKE) Gateway Policy Edit In the VPN Rule (IKE) screen, click the add gateway policy ( to display the VPN-Gateway Policy -Edit screen. Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
Page 313: Figure 199 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 14 IPSec VPN Figure 199 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ZyWALL 2WG User’s Guide...
Page 314: Table 87 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 87 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL Property Name NAT Traversal Gateway Policy Information My ZyWALL Primary Remote Gateway Enable IPSec High Availability Redundant Remote Gateway...
Page 315 Table 87 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote Primary Remote gateway if the connection becomes available again. Gateway when possible Fall Back Check...
Page 316 Chapter 14 IPSec VPN Table 87 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL Peer ID Type Content Extended Authentication Enable Extended Authentication DESCRIPTION Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address.
Page 317 Table 87 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Click Local User to go to the Local User Database screen where you can view...
Page 318: Ipsec Sa Overview
Chapter 14 IPSec VPN Table 87 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL Associated Network Policies Name Local Network Remote Network Apply Cancel 14.6 IPSec SA Overview Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Page 319: Virtual Address Mapping
In most cases you should use virtual address mapping (see avoid overlapping local and remote network IP addresses. See how the ZyWALL handles overlapping local and remote network IP addresses. 14.6.2 Virtual Address Mapping Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from your local devices to virtual IP addresses before sending them through the VPN tunnel.
Page 320: Active Protocol
Chapter 14 IPSec VPN 14.6.3 Active Protocol The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).
Page 321: Ipsec Sa Proposal And Perfect Forward Secrecy
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL includes part of the original IP header when it encapsulates the packet. With ESP, however, the ZyWALL does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.
Page 322: Figure 202 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 14 IPSec VPN Figure 202 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL 2WG User’s Guide...
Page 323: Table 88 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
The following table describes the labels in this screen. Table 88 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 324 Chapter 14 IPSec VPN Table 88 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL Port Forwarding Rules Type Private Starting IP Address Private Ending IP Address Virtual Starting IP Address Virtual Ending IP Address Local Network Address Type Starting IP Address DESCRIPTION...
Page 325 Table 88 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Ending IP Address/ When the Address Type field is configured to Single Address, this field is N/A. Subnet Mask When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 326: Network Policy Port Forwarding
Chapter 14 IPSec VPN Table 88 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL SA Life Time (Seconds) Perfect Forward Secret (PFS) Enable Replay Detection Enable Multiple Proposals Apply Cancel 14.8 Network Policy Port Forwarding Click SECURITY >...
Page 327: Figure 203 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy > Port Forwarding
Figure 203 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding The following table describes the labels in this screen. Table 89 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server...
Page 328: Network Policy Move
Chapter 14 IPSec VPN 14.9 Network Policy Move Click the move ( Network Policy Move screen. A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. •...
Page 329: Dialing The Vpn Tunnel Via Web Configurator
14.10 Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( VPN Rules (IKE) screen to have the IPSec routers set up the tunnel. If you find a disconnect ) icon next to the rule you just created in the VPN Rules (IKE) screen, the ZyWALL automatically built the VPN tunnel.
Page 330: Vpn Troubleshooting
Chapter 14 IPSec VPN Figure 207 VPN Tunnel Established 14.11 VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly.
Page 331: Ipsec Debug
Figure 208 VPN Log Example ras> sys log disp ike ipsec .time message 0|01/11/2001 18:47:22 |5.6.7.8 Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 Send:[HASH] 3|01/11/2001 18:47:22 |5.6.7.8 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 4|01/11/2001 18:47:22 |5.6.7.8 Adjust TCP MSS to 1398 5|01/11/2001 18:47:22 |5.1.2.3...
Page 332: Figure 209 Ike/Ipsec Debug Example
Chapter 14 IPSec VPN If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information. Type Figure 209 IKE/IPSec Debug Example ras> ipsec debug type ras>...
Page 333: Ipsec Sa Using Manual Keys
14.13 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA.
Page 334: Figure 210 Security > Vpn > Vpn Rules (Manual)
Chapter 14 IPSec VPN Figure 210 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 91 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
Page 335: Vpn Rules (Manual) Edit
14.15 VPN Rules (Manual) Edit Click the Add button or the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rules that use manual keys. Manual key management is useful if you have problems with IKE key management. Section 14.13 on page 333 Figure 211 SECURITY >...
Page 336 Chapter 14 IPSec VPN Table 92 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Allow NetBIOS This field is not available when the ZyWALL is in bridge mode. Traffic Through NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that IPSec Tunnel enable a computer to find other computers.
Page 337 Table 92 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 338: Vpn Sa Monitor
Chapter 14 IPSec VPN 14.16 VPN SA Monitor In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections.
Page 339: Figure 213 Overlap In A Dynamic Vpn Rule
14.17.1.1 Dynamic VPN Rule Local and remote network IP addresses can overlap when you configure a dynamic VPN rule for a remote site (see Figure configure the local network as 192.168.1.0/24 and the remote network as any (0.0.0.0). The “any” includes all possible IP addresses. It will forward traffic from network A to network B even if both the sender (for example 192.168.1.8) and the receiver (for example 192.168.1.9) are in network A.
Page 340: Figure 214 Overlap In Ip Alias And Vpn Remote Networks
Chapter 14 IPSec VPN Figure 214 Overlap in IP Alias and VPN Remote Networks In this case, if you want to send packets from network A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias network M, you have to set Local and Remote IP Address Conflict Resolution to The Local Network.
Page 341: Telecommuter Vpn/Ipsec Examples
Table 94 SECURITY > VPN > Global Setting (continued) LABEL Gateway Domain Name Update Timer Adjust TCP Maximum Segment Size Local and Remote IP Address Conflict Resolution Apply Reset 14.18 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters.
Page 342: Telecommuters Sharing One Vpn Rule Example
Chapter 14 IPSec VPN 14.18.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyWALL at headquarters (HQ in the figure).
Page 343: Figure 217 Telecommuters Using Unique Vpn Rules Example
See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.
Page 344: Vpn And Remote Management
Chapter 14 IPSec VPN Table 96 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS Telecommuter C (telecommuterc.dydns.org) Local ID Type: E-mail Local ID Content: myVPN@myplace.com Local IP Address: 192.168.4.15 14.19 VPN and Remote Management You can allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage the ZyWALL.
Page 345: Hub-And-Spoke Vpn Example
Figure 219 VPN Topologies Hub-and-spoke VPN reduces the number of VPN connections that you have to set up and maintain in the network. Small office or telecommuter IPSec routers that support a limited number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers.
Page 346: Hub-And-Spoke Example Vpn Rule Addresses
Chapter 14 IPSec VPN Figure 220 Hub-and-spoke VPN Example 14.20.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 •...
Page 347 Chapter 14 IPSec VPN The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Page 348 Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide...
Page 349: Certificates
H A P T E R This chapter gives background information about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 350: Advantages Of Certificates
Chapter 15 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 351: Configuration Summary
Figure 222 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 352: My Certificates
Chapter 15 Certificates 15.5 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 224 SECURITY >...
Page 353 Table 97 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Page 354: My Certificate Details
Chapter 15 Certificates 15.6 My Certificate Details Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 224 on page screen. You can use this screen to view in-depth certificate information and change the certificate’s name. If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates.
Page 355 Table 98 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
Page 356: My Certificate Export
Chapter 15 Certificates Table 98 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL Apply Cancel 15.7 My Certificate Export Click SECURITY > CERTIFICATES > My Certificates and then a certificate’s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate from the ZyWALL to a computer.
Page 357: My Certificate Import
Table 99 SECURITY > CERTIFICATES > My Certificates > Export (continued) LABEL Password Retype to confirm Apply Cancel 15.8 My Certificate Import Click SECURITY > CERTIFICATES > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyWALL.
Page 358: Figure 227 Security > Certificates > My Certificates > Import
Chapter 15 Certificates • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL.
Page 359: My Certificate Create
Figure 228 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 The following table describes the labels in this screen. Table 101 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 LABEL DESCRIPTION Password Type the file’s password that was created when the PKCS #12 file was exported. Apply Click Apply to save the certificate on the ZyWALL.
Page 360: Figure 229 Security > Certificates > My Certificates > Create (Basic)
Chapter 15 Certificates Figure 229 SECURITY > CERTIFICATES > My Certificates > Create (Basic) ZyWALL 2WG User’s Guide...
Page 361: Figure 230 Security > Certificates > My Certificates > Create (Advanced)
Figure 230 SECURITY > CERTIFICATES > My Certificates > Create (Advanced) The following table describes the labels in this screen. Table 102 SECURITY > CERTIFICATES > My Certificates > Create LABEL Certificate Name Subject Information The fields below display when you click << Basic. ZyWALL 2WG User’s Guide DESCRIPTION Type up to 31 ASCII characters (not including spaces) to identify this...
Page 362 Chapter 15 Certificates Table 102 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL Common Name Organizational Unit Organization Country The fields below display when you click Advanced >>. Subject Name DESCRIPTION Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address.
Page 363 Table 102 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL Subject Alternative Name Key Length << Basic/Advanced >> Enrollment Options Create a self-signed certificate Create a certification request and save it locally for later manual enrollment Create a certification request and enroll for a certificate immediately online...
Page 364: Trusted Cas
Chapter 15 Certificates Table 102 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL RA Signing Certificate If you select Enrollment via an RA, select the CA’s RA signing certificate from RA Encryption Certificate Request Authentication Reference Number Apply Cancel After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request.
Page 365: Figure 231 Security > Certificates > Trusted Cas
Figure 231 SECURITY > CERTIFICATES > Trusted CAs The following table describes the labels in this screen. Table 103 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 366: Trusted Ca Details
Chapter 15 Certificates Table 103 SECURITY > CERTIFICATES > Trusted CAs (continued) LABEL Modify Import Refresh 15.11 Trusted CA Details Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Page 367: Figure 232 Security > Certificates > Trusted Cas > Details
Figure 232 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 104 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 368 Chapter 15 Certificates Table 104 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL Certification Path Refresh Certificate Information Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Name Key Usage Basic Constraint DESCRIPTION Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy...
Page 369: Trusted Ca Import
Table 104 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm.
Page 370: Trusted Remote Hosts
Chapter 15 Certificates Figure 233 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 105 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 371: Figure 234 Security > Certificates > Trusted Remote Hosts
Figure 234 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 106 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 372: Trusted Remote Hosts Import
Chapter 15 Certificates 15.14 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen.
Page 373: Trusted Remote Host Certificate Details
15.15 Trusted Remote Host Certificate Details Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Page 374: Table 108 Security > Certificates > Trusted Remote Hosts > Details
Chapter 15 Certificates The following table describes the labels in this screen. Table 108 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL Name Certification Path Refresh Certificate Information Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative...
Page 375: Directory Servers
Table 108 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL MD5 Fingerprint SHA1 Fingerprint Certificate in PEM (Base-64) Encoded Format Apply Cancel 15.16 Directory Servers Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen.
Page 376: Directory Server Add Or Edit
Chapter 15 Certificates The following table describes the labels in this screen. Table 109 SECURITY > CERTIFICATES > Directory Servers LABEL PKI Storage Space in Use Name Address Port Protocol Modify 15.17 Directory Server Add or Edit Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen.
Page 377: Table 110 Security > Certificates > Directory Server > Add
The following table describes the labels in this screen. Table 110 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Page 378 Chapter 15 Certificates ZyWALL 2WG User’s Guide...
Page 379: Authentication Server
H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 380: Figure 239 Security > Auth Server > Local User Database
Chapter 16 Authentication Server Figure 239 SECURITY > AUTH SERVER > Local User Database ZyWALL 2WG User’s Guide...
Page 381: Radius
The following table describes the labels in this screen. Table 111 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 382 Chapter 16 Authentication Server Table 112 SECURITY > AUTH SERVER > RADIUS LABEL Accounting Server Active Server IP Address Port Number Apply Reset DESCRIPTION Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network.
Page 383: Advanced
Advanced Network Address Translation (NAT) (385) Static Route (401) Policy Route (405) Bandwidth Management (411) DNS (427) Remote Management (439) UPnP (461) Custom Application (471) ALG Screen (473)
Page 385: Network Address Translation (Nat)
H A P T E R Network Address Translation This chapter discusses how to configure NAT on the ZyWALL. 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 386: What Nat Does
Chapter 17 Network Address Translation (NAT) NAT never changes the IP address (either local or global) of an outside host. 17.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 387: Nat Application
Figure 241 How NAT Works 17.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 242 NAT Application With IP Alias ZyWALL 2WG User’s Guide Chapter 17 Network Address Translation (NAT)
Page 388: Port Restricted Cone Nat
Chapter 17 Network Address Translation (NAT) 17.1.5 Port Restricted Cone NAT ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network.
Page 389: Using Nat
• Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 390: Nat Overview Screen
Chapter 17 Network Address Translation (NAT) Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ.
Page 391: Nat Address Mapping
Table 115 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN interface. Clear this check box to turn off the NAT feature for the WAN interface. Address Select SUA if you have just one public WAN IP address for your ZyWALL.
Page 392: Figure 245 Advanced > Nat > Address Mapping
Chapter 17 Network Address Translation (NAT) Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Page 393: Nat Address Mapping Edit
Table 116 ADVANCED > NAT > Address Mapping (continued) LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address.
Page 394: Port Forwarding
Chapter 17 Network Address Translation (NAT) The following table describes the labels in this screen. Table 117 ADVANCED > NAT > Address Mapping > Edit LABEL Type Local Start IP Local End IP Global Start IP Global End IP Apply Cancel 17.5 Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or...
Page 395: Port Forwarding: Services And Port Numbers
If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. 17.5.2 Port Forwarding: Services and Port Numbers The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly accessible servers.
Page 396: Nat And Multiple Wan
Chapter 17 Network Address Translation (NAT) Figure 247 Multiple Servers Behind NAT Example 17.5.4 NAT and Multiple WAN The ZyWALL has two WAN interfaces. You can configure port forwarding and trigger port rule sets for the first WAN interface and separate sets of rules for the second WAN interface. 17.5.5 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the...
Page 397: Port Forwarding Screen
Figure 248 Port Translation Example 17.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 398: Figure 249 Advanced > Nat > Port Forwarding
Chapter 17 Network Address Translation (NAT) Figure 249 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 119 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Page 399: Port Triggering
Table 119 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 17.7 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Page 400: Figure 251 Advanced > Nat > Port Triggering
Chapter 17 Network Address Translation (NAT) Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyWALL’s trigger port settings. Figure 251 ADVANCED > NAT > Port Triggering The following table describes the labels in this screen. Table 120 ADVANCED >...
Page 401: Static Route
H A P T E R This chapter shows you how to configure static routes for your ZyWALL. 18.1 IP Static Route The ZyWALL usually uses the default gateway to route outbound traffic from local computers to the Internet. To have the ZyWALL send data to devices not reachable through the default gateway, use static routes.
Page 402: Ip Static Route
Chapter 18 Static Route 18.2 IP Static Route Click ADVANCED > STATIC ROUTE to open the IP Static Route screen. The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.
Page 403: Ip Static Route Edit
The following table describes the labels in this screen. Table 121 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No).
Page 404 Chapter 18 Static Route Table 122 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Gateway IP Enter the IP address of the gateway. The gateway is a router or switch on the same Address network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
Page 405: Policy Route
H A P T E R This chapter covers setting and applying policies used for IP routing. 19.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 406: Ip Routing Policy Setup
Chapter 19 Policy Route IPPR follows the existing packet filtering facility of RAS in style and in implementation. 19.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen. Figure 255 ADVANCED > POLICY ROUTE > Policy Route Summary ZyWALL 2WG User’s Guide...
Page 407: Policy Route Edit
The following table describes the labels in this screen. Table 123 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source This is the source IP address range and/or port number range.
Page 408: Figure 256 Edit Ip Policy Route
Chapter 19 Policy Route Figure 256 Edit IP Policy Route The following table describes the labels in this screen. Table 124 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 409 Table 124 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom.
Page 410 Chapter 19 Policy Route Table 124 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination.
Page 411: Bandwidth Management
H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 20.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Page 412: Proportional Bandwidth Allocation
Chapter 20 Bandwidth Management 20.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 20.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 413: Scheduler
Table 125 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE E-mail Video 20.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based. 20.7.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes.
Page 414: Maximize Bandwidth Usage Example
Chapter 20 Bandwidth Management 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 20.8 on page 20.7.5 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
Page 415: Bandwidth Borrowing
20.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 128 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Suppose that all of the classes except for the administration class need more bandwidth. •...
Page 416: Maximize Bandwidth Usage With Bandwidth Borrowing
Chapter 20 Bandwidth Management Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL. Table 129 Bandwidth Borrowing Example BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS Root Class: Administration: Borrowing Enabled Sales: Borrowing Disabled Marketing: Borrowing Enabled...
Page 417: Over Allotment Of Bandwidth
4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the classes. 20.10 Over Allotment of Bandwidth It is possible to set the bandwidth management speed for an interface higher than the interface’s actual transmission speed.
Page 418: Figure 258 Advanced > Bw Mgmt > Summary
Chapter 20 Bandwidth Management Figure 258 ADVANCED > BW MGMT > Summary The following table describes the labels in this screen. Table 131 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Page 419: Configuring Class Setup
20.12 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class.
Page 420: Bandwidth Manager Class Configuration
Chapter 20 Bandwidth Management Table 132 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Enabled classes This list displays the interface’s active bandwidth management classes (the ones Search Order that have the bandwidth filter enabled). The ZyWALL applies the classes in the order that they appear here.
Page 421: Figure 260 Advanced > Bw Mgmt > Class Setup > Add Sub-Class
Figure 260 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 133 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL Class Configuration Class Name Bandwidth Budget (kbps) Priority Borrow bandwidth...
Page 422 Chapter 20 Bandwidth Management Table 133 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL Enable Bandwidth Filter Service Destination Address Type Destination IP Address Destination End Address / Subnet Mask Destination Port Source Address Type Do you want your rule to apply to packets coming from a particular (single) IP, Source IP Address DESCRIPTION Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter...
Page 423: Bandwidth Management Statistics
Table 133 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL Source End Address / Subnet Mask Source Port Protocol ID Apply Cancel Table 134 Services and Port Numbers SERVICES ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web)
Page 424: Bandwidth Manager Monitor
Chapter 20 Bandwidth Management Figure 261 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. Table 135 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Page 425: Figure 262 Advanced > Bw Mgmt > Monitor
Figure 262 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Table 136 ADVANCED > BW MGMT > Monitor LABEL Interface Class Budget (kbps) Current Usage (kbps) Refresh A. If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).
Page 426 Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide...
Page 427: Dns
H A P T E R This chapter shows you how to configure the DNS screens. 21.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 428: Address Record
Chapter 21 DNS 21.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel”...
Page 429: System Screen
Figure 263 Private DNS Server Example If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 21.6 System Screen Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL’s DNS address and name server records.
Page 430: Figure 264 Advanced > Dns > System Dns
Chapter 21 DNS Figure 264 ADVANCED > DNS > System DNS The following table describes the labels in this screen. Table 137 ADVANCED > DNS > System DNS LABEL Address Record FQDN Wildcard IP Address Modify DESCRIPTION An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address.
Page 431: Adding An Address Record
Table 137 ADVANCED > DNS > System DNS LABEL DESCRIPTION Name Server A name server record contains a DNS server’s IP address. The ZyWALL can Record query the DNS server to resolve domain names for features like VPN, DDNS and the time server. When the ZyWALL needs to resolve a domain name, it checks it against the name server record entries in the order that they appear in this list.
Page 432: Inserting A Name Server Record
Chapter 21 DNS The following table describes the labels in this screen. Table 138 ADVANCED > DNS > Add (Address Record) LABEL FQDN IP Address Enable Wildcard Apply Cancel 21.6.2 Inserting a Name Server Record Click Insert in the System screen to open this screen. Use this screen to insert a name server record.
Page 433: Dns Cache
The following table describes the labels in this screen. Table 139 ADVANCED > DNS > Insert (Name Server Record) LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 434: Figure 267 Advanced > Dns > Cache
Chapter 21 DNS Figure 267 ADVANCED > DNS > Cache The following table describes the labels in this screen. Table 140 ADVANCED > DNS > Cache LABEL DNS Cache Setup Cache Positive DNS Resolutions Maximum TTL Cache Negative DNS Resolutions Negative Cache Period Apply...
Page 435: Configuring Dns Dhcp
Table 140 ADVANCED > DNS > Cache LABEL DESCRIPTION IP Address This is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries. Remaining Time This is the number of seconds left before the DNS resolution entry is discarded (sec) from the cache.
Page 436: Dynamic Dns
Chapter 21 DNS Table 141 ADVANCED > DNS > DHCP LABEL Apply Reset 21.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 437: High Availability
If you have a private WAN IP address, then you cannot use Dynamic DNS. 21.10.2 High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.
Page 438 Chapter 21 DNS Table 142 ADVANCED > DNS > DDNS LABEL Username Password My Domain Names Domain Name 1~5 DDNS Type Offline Wildcard WAN Interface IP Address Update Policy Apply Reset DESCRIPTION Enter your user name. You can use up to 31 alphanumeric characters (and the underscore).
Page 439: Remote Management
H A P T E R This chapter provides information on the Remote Management screens. 22.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Page 440: Remote Management Limitations
Chapter 22 Remote Management 3 Telnet 4 HTTPS and HTTP 22.1.1 Remote Management Limitations Remote management does not work when: 1 You have not enabled that service on the interface in the corresponding remote management screen. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address.
Page 441: Www
2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server). Figure 271 HTTPS Implementation If you disable the HTTP service in the REMOTE MGMT > WWW screen, then the ZyWALL blocks all HTTP connection attempts. 22.3 WWW Click ADVANCED >...
Page 442: Figure 272 Advanced > Remote Mgmt > Www
Chapter 22 Remote Management Figure 272 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 143 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 443: Https Example
Table 143 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service.
Page 444: Avoiding The Browser Warning Messages
Chapter 22 Remote Management If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. Figure 274 Security Certificate 1 (Netscape) Figure 275 Security Certificate 2 (Netscape) 22.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the...
Page 445: Login Screen
• The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.
Page 446: Figure 277 Replace Certificate
Chapter 22 Remote Management Figure 277 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 278 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
Page 447: Ssh
Figure 279 Common ZyWALL Certificate 22.5 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come. Unlike Telnet or FTP, which transmit data in plaintext (clear or unencrypted text), SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 448: Ssh Implementation On The Zywall
Chapter 22 Remote Management Figure 281 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 449: Configuring Ssh
22.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 282 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen.
Page 450: Secure Telnet Using Ssh Examples
Chapter 22 Remote Management 22.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 22.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
Page 451: Secure Ftp Using Ssh Example
2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 452: Telnet
Chapter 22 Remote Management Figure 286 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 453: Ftp
The following table describes the labels in this screen. Table 145 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
Page 454: Snmp
Chapter 22 Remote Management The following table describes the labels in this screen. Table 146 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 455: Supported Mibs
Figure 289 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 456: Snmp Traps
Chapter 22 Remote Management 22.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 147 SNMP Traps TRAP # TRAP NAME coldStart (defined in RFC-1215) warmStart (defined in RFC- 1215) authenticationFailure (defined in RFC-1215)
Page 457: Dns
The following table describes the labels in this screen. Table 148 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Page 458: Introducing Vantage Cnm
Chapter 22 Remote Management Figure 291 ADVANCED > REMOTE MGMT > DNS The following table describes the labels in this screen. Table 149 ADVANCED > REMOTE MGMT > DNS LABEL DESCRIPTION Service Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL.
Page 459: Figure 292 Advanced > Remote Mgmt > Cnm
Figure 292 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 150 ADVANCED > REMOTE MGMT > CNM LABEL Registration Information Registration Status Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- Refresh Vantage CNM Setup Enable...
Page 460: Additional Configuration For Vantage Cnm
Chapter 22 Remote Management Table 150 ADVANCED > REMOTE MGMT > CNM (continued) LABEL Encryption Algorithm Encryption Key Apply Reset 22.17.1 Additional Configuration for Vantage CNM If you have NAT routers or firewalls between the ZyWALL and the Vantage CNM server, you must configure them to forward TCP ports 8080 (HTTP), 443 (HTTPS) and 20 and 21 (FTP).
Page 461: Upnp
H A P T E R This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 23.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 462: Upnp And Zyxel
Chapter 23 UPnP When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 463: Displaying Upnp Port Mapping
Table 151 ADVANCED > UPnP LABEL Allow UPnP to pass through Firewall Outgoing WAN Interface Apply Reset 23.3 Displaying UPnP Port Mapping Click ADVANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Figure 294 ADVANCED >...
Page 464: Installing Upnp In Windows Example
Chapter 23 UPnP Table 152 ADVANCED > UPnP > Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 465: Installing Upnp In Windows Me
23.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details.
Page 466: Installing Upnp In Windows Xp
Chapter 23 UPnP 23.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 467: Auto-Discover Your Upnp-Enabled Network Device
23.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.
Page 468: Web Configurator Easy Access
Chapter 23 UPnP When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. 5 Double-click the icon to display your current Internet connection status.
Page 469 Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 470 Chapter 23 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 2WG User’s Guide...
Page 471: Custom Application
H A P T E R This chapter covers how to set the ZyWALL’s to monitor custom port numbers for specific applications. 24.1 Custom Applicaton Use custom application to have the ZyWALL’s ALG and content filtering features monitor traffic on custom ports, in addition to the default ports. By default, these ZyWALL features monitor traffic for the following protocols on these port numbers.
Page 472: Figure 295 Advanced > Custom App
Chapter 24 Custom Application Figure 295 ADVANCED > Custom APP The following table describes the labels in this screen. Table 153 ADVANCED > Custom APP LABEL DESCRIPTION Application Select the application for which you want the ZyWALL to monitor specific ports. You can use the same application in more than one entry.
Page 473: Alg Screen
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 25.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
Page 474: Alg And Multiple Wan
Chapter 25 ALG Screen 25.1.3 ALG and Multiple WAN When the ZyWALL has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyWALL does not automatically change the connection to the secondary WAN interfaces.
Page 475: Figure 296 H.323 Alg Example
• You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and Figure 296 H.323 ALG Example •...
Page 476: Sip
Chapter 25 ALG Screen Figure 298 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
Page 477: Sip Signaling Session Timeout
Figure 299 SIP ALG Example 25.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period.
Page 478: Figure 300 Advanced > Alg
Chapter 25 ALG Screen Figure 300 ADVANCED > ALG The following table describes the labels in this screen. Table 154 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Page 479: Logs And Maintenance
Logs and Maintenance Logs Screens (481) Maintenance (511)
Page 481: Logs Screens
H A P T E R This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to 26.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 482: Log Description Example
Chapter 26 Logs Screens The following table describes the labels in this screen. Table 155 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see 484) display in the drop-down list box. Select a category of logs to view;...
Page 483: About The Certificate Not Trusted Log
Table 156 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Page 484: Configuring Log Settings
Chapter 26 Logs Screens Figure 303 myZyXEL.com: Certificate Download 26.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Page 485: Figure 304 Logs > Log Settings
Chapter 26 Logs Screens Figure 304 LOGS > Log Settings ZyWALL 2WG User’s Guide...
Page 486: Table 157 Logs > Log Settings
Chapter 26 Logs Screens The following table describes the labels in this screen. Table 157 LOGS > Log Settings LABEL E-mail Log Settings Mail Server Mail Subject Mail Sender Send Log To Send Alerts To Log Schedule Day for Sending Log Time for Sending Log SMTP Authentication User Name...
Page 487: Configuring Reports
Table 157 LOGS > Log Settings (continued) LABEL Send Immediate Alert Log Consolidation Active Log Consolidation Period Apply Reset 26.4 Configuring Reports The Reports screen displays which computers on the LAN, DMZ or WLAN send and receive the most traffic, what kinds of traffic are used the most and which web sites are visited the most often.
Page 488: Figure 305 Logs > Reports
Chapter 26 Logs Screens Figure 305 LOGS > Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 158 LOGS > Reports LABEL DESCRIPTION Collect Select the check box and click Apply to have the ZyWALL record report data. Statistics Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic...
Page 489: Viewing Web Site Hits
All of the recorded reports data is erased when you turn off the ZyWALL. 26.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 490: Viewing Protocol/Port
Chapter 26 Logs Screens Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer. Figure 307 LOGS >...
Page 491: Figure 308 Logs > Reports: Protocol/Port Example
Figure 308 LOGS > Reports: Protocol/Port Example The following table describes the labels in this screen. Table 161 LOGS > Reports: Protocol/ Port LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 492: System Reports Specifications
Chapter 26 Logs Screens 26.4.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 162 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 four billion. Bytes count Up to 2 limit:...
Page 493 Table 163 System Maintenance Logs (continued) LOG MESSAGE Time initialized by NTP server Connect to Daytime server fail Connect to Time server fail Connect to NTP server fail Too large ICMP packet has been dropped SMT Session Begin SMT Session End Configuration Change: PC = 0x%x, Task ID = 0x%x Successful SSH login...
Page 494: Table 164 System Error Logs
Chapter 26 Logs Screens Table 164 System Error Logs LOG MESSAGE %s exceeds the max. number of session per host! setNetBIOSFilter: calloc error readNetBIOSFilter: calloc error WAN connection is down. Dial Backup starts Dial Backup ends DHCP Server cannot assign the static IP %S (out of range).
Page 495: Table 166 Tcp Reset Logs
Table 166 TCP Reset Logs LOG MESSAGE Under SYN flood attack, sent TCP RST Exceed TCP MAX incomplete, sent TCP RST Peer TCP state out of order, sent TCP RST Firewall session time out, sent TCP RST Exceed MAX incomplete, sent TCP RST Access block, sent TCP Table 167 Packet Filter Logs...
Page 496: Table 169 Cdr Logs
Chapter 26 Logs Screens Table 168 ICMP Logs (continued) LOG MESSAGE Packet without a NAT table entry blocked: ICMP Unsupported/out-of-order ICMP: ICMP Router reply ICMP packet: ICMP Table 169 CDR Logs LOG MESSAGE board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s board %d line %d channel %d, call %d, %s C02 OutCall...
Page 497 Table 171 3G Logs (continued) LOG MESSAGE Budget counters are reset, budget control is resumed. Budget control is resumed. Budget control is disabled. Skip 3G SIM authentication because 3G configuration is not set. 3G SIM authentication failed because of no response from SIM card.
Page 498: Table 172 Upnp Logs
Chapter 26 Logs Screens Table 171 3G Logs (continued) LOG MESSAGE Warning: (%ESN% or %IMSI%) Over data budget! (budget =%CONFIGURED_BUDGET%(2 decimals Mbytes, used = %USED_VOLUME%(2 decimals) Mbytes). Warning: (%ESN% or %IMSI%) Over %THRESHOLD%% of data budget (%REMAIN_BUDGET%(2 decimals) Mbytes remain in %CONFIGURED_BUDGET% Mbytes budget).
Page 499: Table 174 Attack Logs
Table 173 Content Filtering Logs (continued) LOG MESSAGE DNS resolving failed Creating socket failed The ZyWALL cannot issue a query because TCP/IP socket creation Connecting to content filter server fail License key is invalid The external content filtering license key is invalid. For type and code details, see Table 174 Attack Logs LOG MESSAGE...
Page 500: Table 175 Remote Management Logs
Chapter 26 Logs Screens Table 174 Attack Logs (continued) LOG MESSAGE Firewall sent TCP packet in response to DoS attack ICMP Source Quench ICMP ICMP Time Exceed ICMP ICMP Destination Unreachable ICMP ping of death. ICMP smurf ICMP IP address in FTP port command is different from the client IP address.
Page 501: Table 177 Ike Logs
Table 176 IPSec Logs (continued) LOG MESSAGE Receive IPSec packet, but no corresponding tunnel exists Rule <%d> idle time out, disconnect WAN IP changed to <IP> Inbound packet decryption failed Cannot find outbound SA for rule <%d> Rule [%s] sends an echo request to peer Rule [%s] receives an echo reply from peer...
Page 502 Chapter 26 Logs Screens Table 177 IKE Logs (continued) LOG MESSAGE Cannot resolve Secure Gateway Addr for rule <%d> Peer ID: <peer id> <My remote type> -<My local type> vs. My Remote <My remote> - <My remote> vs. My Local <My local>-<My local>...
Page 503 Table 177 IKE Logs (continued) LOG MESSAGE XAUTH fail! Username: <Username> Rule[%d] Phase 1 negotiation mode mismatch Rule [%d] Phase 1 encryption algorithm mismatch Rule [%d] Phase 1 authentication algorithm mismatch Rule [%d] Phase 1 authentication method mismatch Rule [%d] Phase 1 key group mismatch Rule [%d] Phase 2 protocol mismatch...
Page 504: Table 178 Pki Logs
Chapter 26 Logs Screens Table 177 IKE Logs (continued) LOG MESSAGE Rule [%d] phase 1 mismatch Rule [%d] phase 2 mismatch Rule [%d] Phase 2 key length mismatch Remote Gateway Addr in rule [%s] is changed to %s" New My ZyWALL Addr in rule [%s] is changed to %s Remote Gateway Addr has changed, tunnel [%s] will be...
Page 505: Table 179 Certificate Path Verification Failure Reason Codes
Table 178 PKI Logs (continued) LOG MESSAGE Failed to decode the received user cert Failed to decode the received CRL Failed to decode the received ARL Rcvd data <size> too large! Max size allowed: <max size> Cert trusted: <subject name> Due to <reason codes>, cert not trusted: <subject name>...
Page 506: Table 180 Acl Setting Notes
Chapter 26 Logs Screens Table 179 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. Path was not verified. Maximum path length reached.
Page 507 Table 181 ICMP Notes (continued) TYPE CODE DESCRIPTION Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 508: Syslog Logs
Chapter 26 Logs Screens 26.6 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
Page 509: Table 183 Rfc-2408 Isakmp Payload Types
Table 182 Syslog Logs (continued) LOG MESSAGE Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1>" ob_mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="IDP" class="<idp class>" sid="<idp sid> act="<idp action>" count="1" Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>"...
Page 510 Chapter 26 Logs Screens ZyWALL 2WG User’s Guide...
Page 511: Maintenance
H A P T E R This chapter displays information on the maintenance screens. 27.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 27.2 General Setup and System Name General Setup contains administrative and system-related information.
Page 512: Configuring Password
Chapter 27 Maintenance Figure 309 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 184 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 513: Time And Date
Figure 310 MAINTENANCE > Password The following table describes the labels in this screen. Table 185 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button.
Page 514: Figure 311 Maintenance > Time And Date
Chapter 27 Maintenance Figure 311 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 186 MAINTENANCE > Time and Date LABEL Current Time and Date Current Time Current Date Time and Date Setup Manual New Time (hh:mm:ss) New Date...
Page 515 Table 186 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format.
Page 516: Pre-Defined Ntp Time Server Pools
Chapter 27 Maintenance 27.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
Page 517: Introduction To Transparent Bridging
Figure 313 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 314 Synchronization Fail 27.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards.
Page 518: Transparent Firewalls
Chapter 27 Maintenance For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Page 519: Configuring Device Mode (Bridge)
Figure 315 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen. Table 188 MAINTENANCE > Device Mode (Router Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Device Mode Setup Router When the ZyWALL is in router mode, there is no need to select or clear this radio...
Page 520: Figure 316 Maintenance > Device Mode (Bridge Mode)
Chapter 27 Maintenance In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.
Page 521: F/W Upload Screen
Table 189 MAINTENANCE > Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION DHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP check box selected.
Page 522: Figure 318 Firmware Upload In Process
Chapter 27 Maintenance The following table describes the labels in this screen. Table 190 MAINTENANCE > Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 523: Backup And Restore
Figure 320 Firmware Upload Error 27.11 Backup and Restore Section 43.5 on page 655 Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 321 MAINTENANCE > Backup and Restore ZyWALL 2WG User’s Guide for transferring configuration files using FTP/TFTP commands.
Page 524: Backup Configuration
Chapter 27 Maintenance 27.11.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
Page 525: Back To Factory Defaults
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer’s IP address. If the upload was not successful, the following screen will appear.
Page 526: Diagnostics
Chapter 27 Maintenance Figure 326 MAINTENANCE > Restart 27.13 Diagnostics Use the Diagnostics screen to have the ZyWALL generate and send diagnostic files by e-mail and/or the console port. The diagnostics files contain the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 527: Figure 327 Maintenance > Diagnostics
Figure 327 MAINTENANCE > Diagnostics The following table describes the labels in this screen. Table 192 MAINTENANCE > Diagnostics LABEL Enable Diagnostics Perform Diagnostics Perform diagnostics when CPU utilization exceeds Periodic Diagnostics Diagnostics Frequency ZyWALL 2WG User’s Guide DESCRIPTION Select this option to turn on the diagnostics feature. Click this button to generate and send a diagnostic file immediately, instead of based on a time period or CPU usage level.
Page 528 Chapter 27 Maintenance Table 192 MAINTENANCE > Diagnostics (continued) LABEL Day for Diagnostics Time for Diagnostics Display on Console Send Diagnostic Report by E-mail Mail Server Mail Subject Mail Sender Send Log to SMTP Authentication User Name Password Apply Reset DESCRIPTION Use the drop down list box to select which day of the week to generate and send diagnostic files.
Page 529: Smt
Introducing the SMT (531) SMT Menu 1 - General Setup (539) WAN and Dial Backup Setup (545) LAN Setup (559) Internet Access (565) DMZ Setup (571) Route Setup (575) Wireless Setup (579) Remote Node Setup (583) IP Static Route Setup (591) Network Address Translation (NAT) (595) Introducing the ZyWALL Firewall (615) Filter Configuration (617)
Page 531: Introducing The Smt
H A P T E R This chapter explains how to access the System Management Terminal and gives an overview of its menus. 28.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 532: Entering The Password
Chapter 28 Introducing the SMT Figure 328 Initial Screen Copyright (c) 1994 - 2007 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:00:AA:77:90:79 initialize ch =1, ethernet address: 00:00:AA:77:90:7A initialize ch =2, ethernet address: 00:00:AA:77:90:7B initialize ch =3, ethernet address: 00:00:AA:77:90:79...
Page 533: Main Menu
Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 193 Main Menu Commands OPERATION KEYSTROKES Move down [ENTER] to another menu Move up to a [ESC] previous menu Move to a Press [SPACE...
Page 534: Figure 330 Main Menu (Router Mode)
Chapter 28 Introducing the SMT Figure 330 Main Menu (Router Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup 5. DMZ Setup 6. Route Setup 7.
Page 535: Smt Menus Overview
Table 194 Main Menu Summary NO. MENU TITLE Internet Access Setup DMZ Setup Route Setup Wireless Setup Remote Node Setup Static Routing Setup NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance IP Routing Policy Setup Configure and display policies for use in IP policy routing. Schedule Setup Exit 28.3.2 SMT Menus Overview...
Page 536 Chapter 28 Introducing the SMT Table 195 SMT Menus Overview (continued) MENUS SUB MENUS 11 Remote Node Setup 11.1 Remote Node Profile 11.2 Remote Node Profile (3G WAN) 11.3 Remote Node Profile (Backup ISP) 12 Static Routing Setup 12.1 Edit IP Static Route 15 NAT Setup 15.1 Address Mapping Sets 15.2 Port Forwarding Setup...
Page 537: Changing The System Password
Table 195 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.3 Log and Trace 24.4 Diagnostic 24.5 Backup Configuration 24.6 Restore Configuration 24.7 Upload Firmware 24.8 Command Interpreter Mode 24.9 Call Control 24.10 Time and Date Setting...
Page 538: Resetting The Zywall
Chapter 28 Introducing the SMT 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 28.5 Resetting the ZyWALL Section 2.3 on page 59 for directions on resetting the ZyWALL.
Page 539: Smt Menu 1 - General Setup
H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 29.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 29.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Page 540: Figure 334 Menu 1: General Setup (Bridge Mode)
Chapter 29 SMT Menu 1 - General Setup Table 196 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1 - Configure Dynamic DNS discussed next.
Page 541: Configuring Dynamic Dns
29.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
Page 542: Figure 336 Menu 1.1.1: Ddns Host Summary
Chapter 29 SMT Menu 1 - General Setup Figure 336 Menu 1.1.1: DDNS Host Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ The following table describes the fields in this screen. Table 199 Menu 1.1.1: DDNS Host Summary FIELD Summary...
Page 543: Figure 337 Menu 1.1.1: Ddns Edit Host
Figure 337 Menu 1.1.1: DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A The following table describes the fields in this screen.
Page 544 Chapter 29 SMT Menu 1 - General Setup Table 200 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
Page 545: Wan And Dial Backup Setup
H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 30.1 Introduction to WAN, 3G WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus.
Page 546: Dial Backup
Chapter 30 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 201 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 547: Advanced Wan Setup
Figure 339 Menu 2: Dial Backup Setup Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 202 Menu 2: Dial Backup Setup FIELD DESCRIPTION Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No). Port Speed Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device.
Page 548: Figure 340 Menu 2.1: Advanced Wan Setup
Chapter 30 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 549: Remote Node Profile (Backup Isp)
Table 204 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 550: Table 205 Menu 11.3: Remote Node Profile (Backup Isp)
Chapter 30 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 205 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight Name characters.
Page 551: Editing Tcp/Ip Options
30.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Figure 342 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0...
Page 552: Editing Login Script
Chapter 30 WAN and Dial Backup Setup Table 206 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
Page 553: Figure 343 Menu 11.3.3: Remote Node Script
Please note that the ordering of the sets is significant, i.e., starting from set 1, the ZyWALL will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’ and the ‘Send’ fields of the current set are empty, the ZyWALL will terminate the script processing and start PPP negotiation.
Page 554: Remote Node Filter
Chapter 30 WAN and Dial Backup Setup 30.3.6 Remote Node Filter Move the cursor to the field Edit Filter Sets in menu 11.3, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.3.4 - Remote Node Filter. Use menu 11.3.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls.
Page 555: Figure 345 3G Modem Setup In Wan Setup
Figure 345 3G Modem Setup in WAN Setup The following table describes the fields in this screen. Table 208 3G Modem Setup in WAN Setup FIELD DESCRIPTION 3G Modem Setup Init Select Configure APN to enter the APN (Access Point Name) if your ISP gives you the APN only.
Page 556: Remote Node Profile (3G Wan)
Chapter 30 WAN and Dial Backup Setup 30.4.2 Remote Node Profile (3G WAN) Enter 2 in Menu 11 - Remote Node Setup to open Menu 11.2 - Remote Node Profile (3G WAN) (shown below) and configure the setup for your 3G connection. Figure 346 Menu 11.2: Remote Node Profile (3G WAN) Rem Node Name= WAN 2...
Page 557 Table 209 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 30.3.4 on page 551 Edit Script Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the...
Page 558 Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide...
Page 559: Lan Setup
H A P T E R This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 31.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. 31.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup.
Page 560: Tcp/Ip And Dhcp Ethernet Setup Menu
Chapter 31 LAN Setup Figure 348 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: Output Filter Sets: Press ENTER to Confirm or ESC to Cancel: 31.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 561: Figure 350 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
Figure 350 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 DHCP Server Address= N/A Follow the instructions in the next table on how to configure the DHCP fields. Table 210 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION...
Page 562: Table 211 Menu 3.2: Lan Tcp/Ip Setup Fields
Chapter 31 LAN Setup Table 210 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Page 563: Ip Alias Setup
31.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 564 Chapter 31 LAN Setup ZyWALL 2WG User’s Guide...
Page 565: Internet Access
H A P T E R This chapter shows you how to configure your ZyWALL for Internet access. 32.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 566: Figure 352 Menu 4: Internet Access Setup (Ethernet)
Chapter 32 Internet Access Figure 352 Menu 4: Internet Access Setup (Ethernet) The following table describes the fields in this menu. Table 213 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet.
Page 567: Configuring The Pptp Client
Table 213 Menu 4: Internet Access Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Enter the gateway IP address associated with your static IP. Address Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 568: Configuring The Pppoe Client
Chapter 32 Internet Access Figure 353 Internet Access Setup (PPTP) The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field in menu 4. Table 214 New Fields in Menu 4 (PPTP) Screen FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPTP.
Page 569: Basic Setup Complete
Figure 354 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation field in menu 4. Table 215 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices in the IP Address field.
Page 570 Chapter 32 Internet Access ZyWALL 2WG User’s Guide...
Page 571: Dmz Setup
H A P T E R This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 33.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 355 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1.
Page 572: Tcp/Ip Setup
Chapter 33 DMZ Setup 33.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 147. 33.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 357 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1.
Page 573: Ip Alias Setup
DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see 15.1 and 15.2. 33.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
Page 574 Chapter 33 DMZ Setup ZyWALL 2WG User’s Guide...
Page 575: Route Setup
H A P T E R This chapter describes how to configure the ZyWALL's traffic redirect. 34.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 360 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 576: Traffic Redirect
Chapter 34 Route Setup The following table describes the fields in this menu. Table 216 Menu 6.1: Route Assessment FIELD Probing WAN 1/2 Check Point Probing Traffic Redirection Check Point When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to save your configuration, or press [ESC] at any time to cancel.
Page 577: Route Failover
34.4 Route Failover This menu allows you to configure how the ZyWALL uses the route assessment ping check function. Figure 363 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 578 Chapter 34 Route Setup ZyWALL 2WG User’s Guide...
Page 579: Wireless Setup
H A P T E R Use menu 7 to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. 35.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 147.
Page 580: Ip Alias Setup
Chapter 35 Wireless Setup Figure 365 Menu 7.2: TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A DHCP Server Address= N/A The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup.
Page 581: Figure 366 Menu 7.2.1: Ip Alias Setup
Figure 366 Menu 7.2.1: IP Alias Setup Enter here to CONFIRM or ESC to CANCEL: Refer to Table 212 on page 563 ZyWALL 2WG User’s Guide Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No...
Page 582 Chapter 35 Wireless Setup ZyWALL 2WG User’s Guide...
Page 583: Remote Node Setup
H A P T E R This chapter shows you how to configure a remote node. 36.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node.
Page 584: Ethernet Encapsulation
Chapter 36 Remote Node Setup 36.3.1 Ethernet Encapsulation There are three variations of menu 11.1 depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown next.
Page 585: Pppoe Encapsulation
Table 219 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Server This field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here.
Page 586: Pptp Encapsulation
Chapter 36 Remote Node Setup 36.3.2.1 Outgoing Authentication Protocol Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor’s implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
Page 587: Edit Ip
Figure 370 Menu 11.1: Remote Node Profile for PPTP Encapsulation Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= 10.0.0.140 My IP Mask= 255.255.255.0 Server IP Addr= 10.0.0.138 Connection ID/Name= The next table shows how to configure fields in menu 11.1 not previously discussed.
Page 588: Figure 371 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
Chapter 36 Remote Node Setup Figure 371 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu.
Page 589: Remote Node Filter
Table 222 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for...
Page 590: Figure 372 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
Chapter 36 Remote Node Setup Figure 372 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: Output Filter Sets: Enter here to CONFIRM or ESC to CANCEL: Figure 373 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: Output Filter Sets:...
Page 591: Ip Static Route Setup
H A P T E R This chapter shows you how to configure static routes with your ZyWALL. 37.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 592: Figure 374 Menu 12: Ip Static Route Setup
Chapter 37 IP Static Route Setup Figure 374 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1.Reserved 2.Reserved 3.________ 4.________ 5.________ 6.________ 7.________ 8.________ 9.________ 10.________ 11.________ 12.________ 13.________ 14.________ 15.________ Now, enter the index number of the static route that you want to configure. Figure 375 Menu 12.
Page 593 Table 223 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION IP Subnet Mask Enter the IP subnet mask for this destination. Gateway IP Enter the IP address of the gateway. The gateway is an immediate neighbor of your Address ZyWALL that will forward the packet to the destination.
Page 594 Chapter 37 IP Static Route Setup ZyWALL 2WG User’s Guide...
Page 595: Network Address Translation (Nat)
H A P T E R Network Address Translation This chapter discusses how to configure NAT on the ZyWALL. 38.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 38.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 596: Chapter 38 Network Address Translation (Nat)
Chapter 38 Network Address Translation (NAT) Figure 376 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet IP Address Assignment= Dynamic Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu 11.1.
Page 597: Nat Setup
The following table describes the fields in this menu. Table 224 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION Network When you select this option the SMT will use Address Mapping Set 1 Address (menu 15.1 - see Translation can configure any of the mapping types described in 385.
Page 598: Address Mapping Sets
Chapter 38 Network Address Translation (NAT) Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 38.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 379 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets Enter Menu Selection Number:...
Page 599: Table 225 Sua Address Mapping Rules
Menu 15.1.255 is read-only. Table 225 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA).
Page 600: Figure 381 Menu 15.1.1: First Set
Chapter 38 Network Address Translation (NAT) Figure 381 Menu 15.1.1: First Set Set Name= NAT_SET Local Start IP --------------- 0.0.0.0 The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. 38.2.1.3 Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify.
Page 601: Figure 382 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
Table 226 Fields in Menu 15.1.1 (continued) FIELD DESCRIPTION Action The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule.
Page 602: Configuring A Server Behind Nat
Chapter 38 Network Address Translation (NAT) The following table describes the fields in this menu. Table 227 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in servers of different types behind NAT to this computer.
Page 603: Figure 384 Menu 15.2.X: Nat Server Sets
3 Enter 1 or 2 to go to Menu 15.2.x - NAT Server Setup and configure the address mapping rules for the WAN 1 or WAN 2 interface on a ZyWALL with multiple WAN interfaces. Figure 384 Menu 15.2.x: NAT Server Sets Rule Act.
Page 604: Figure 386 Menu 15.2.1: Nat Server Setup
Chapter 38 Network Address Translation (NAT) The following table describes the fields in this screen. Table 228 15.2.x.x: NAT Server Configuration FIELD DESCRIPTION On a ZyWALL with two WAN ports, you can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port. This is the WAN port (server set) you select in menu 15.2.
Page 605: General Nat Examples
Figure 387 Server Behind NAT Example 38.4 General NAT Examples The following are some examples of NAT configuration. 38.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 388 NAT Example 1 ZyWALL 2WG User’s Guide Chapter 38 Network Address Translation (NAT)
Page 606: Example 2: Internet Access With A Default Server
Chapter 38 Network Address Translation (NAT) Figure 389 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet IP Address Assignment= Dynamic Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field.
Page 607: Example 3: Multiple Public Ip Addresses With Inside Servers
Figure 391 Menu 15.2.1: Specifying an Inside Server Rule ------------------------------------------------------ Select Command= None 38.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server.
Page 608: Figure 392 Nat Example 3
Chapter 38 Network Address Translation (NAT) Figure 392 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in 2 Then enter 15 from the main menu.
Page 609: Figure 394 Example 3: Menu 15.1.1.1
Figure 394 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Global IP: Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Figure 395 Example 3: Final Menu 15.1.1 Set Name= Example3 Local Start IP --------------- 1.
Page 610: Example 4: Nat Unfriendly Application Programs
Chapter 38 Network Address Translation (NAT) Figure 396 Example 3: Menu 15.2.1 ------------------------------------------------------ Select Command= None 38.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 611: Figure 398 Example 4: Menu 15.1.1.1: Address Mapping Rule
Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 398 Example 4: Menu 15.1.1.1: Address Mapping Rule Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as...
Page 612: Trigger Port Forwarding
Chapter 38 Network Address Translation (NAT) 38.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 613: Figure 400 Menu 15.3.1: Trigger Port Setup
Figure 400 Menu 15.3.1: Trigger Port Setup Rule Name -------------------------------------------------------------- Real Audio HTTP:80 FTP:21 The following table describes the fields in this menu. Table 229 Menu 15.3.1: Trigger Port Setup FIELD DESCRIPTION Rule This is the rule index number. Name Enter a unique name for identification purposes.
Page 614 Chapter 38 Network Address Translation (NAT) ZyWALL 2WG User’s Guide...
Page 615: Introducing The Zywall Firewall
H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 39.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 616: Figure 402 Menu 21.2: Firewall Setup
Chapter 39 Introducing the ZyWALL Firewall Figure 402 Menu 21.2: Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 617: Filter Configuration
H A P T E R This chapter shows you how to create and apply filters. 40.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 618: The Filter Structure Of The Zywall
Chapter 40 Filter Configuration 40.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 619: Figure 404 Filter Rule Process
Chapter 40 Filter Configuration Figure 404 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 620: Configuring A Filter Set
Chapter 40 Filter Configuration 40.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 405 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup Enter Menu Selection Number:...
Page 621: Configuring A Filter Rule
Table 230 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. More.
Page 622: Configuring A Tcp/Ip Filter Rule
Chapter 40 Filter Configuration 40.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.
Page 623 Table 232 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater. Source IP Addr Enter the source IP Address of the packet you wish to filter.
Page 624: Configuring A Generic Filter Rule
Chapter 40 Filter Configuration Figure 408 Executing an IP Filter 40.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. ZyWALL 2WG User’s Guide...
Page 625: Figure 409 Menu 21.1.1.1: Generic Filter Rule
For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyWALL applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match.
Page 626: Example Filter
Chapter 40 Filter Configuration Table 233 Generic Filter Rule Menu Fields FIELD DESCRIPTION Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Page 627: Figure 411 Example Filter: Menu 21.1.3.1
Figure 411 Example Filter: Menu 21.1.3.1 Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press Space Bar to Toggle. The port number for the telnet service (TCP protocol) is 23.
Page 628: Filter Types And Nat
Chapter 40 Filter Configuration After you’ve created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile. 3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. 4 This brings you to menu 11.1.4.
Page 629: Firewall
40.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 630: Applying Lan Filters
Chapter 40 Filter Configuration If you do not activate the firewall, it is advisable to apply filters. 40.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Page 631: Applying Remote Node Filters
40.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 632 Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide...
Page 633: Snmp Configuration
H A P T E R This chapter explains SNMP configuration menu 22. 41.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 634: Snmp Traps
Chapter 41 SNMP Configuration Table 234 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 635: System Information & Diagnosis
H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 42.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Page 636: Figure 419 Menu 24.1: System Maintenance: Status
Chapter 42 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 419 Menu 24.1: System Maintenance: Status Port Status...
Page 637: System Information And Console Port Speed
Table 236 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Ethernet Address This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left.
Page 638: Console Port Speed
Chapter 42 System Information & Diagnosis Figure 421 Menu 24.2.1: System Maintenance: Information The following table describes the fields in this screen. Table 237 Fields in System Maintenance: Information FIELD Name Routing ZyNOS F/W Version Country Code Ethernet Address IP Address IP Mask DHCP When finished viewing, press [ESC] or [ENTER] to exit.
Page 639: Log And Trace
Figure 422 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Space Bar to Toggle. 42.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally.
Page 640: Syslog Logging
Chapter 42 System Information & Diagnosis Figure 424 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 53 Thu Jul 1 05:54:53 2004 PINI 54 Thu Jul 1 05:54:56 2004 PP05 -WARN 55 Thu Jul 1 05:54:56 2004 PP0d 57 Thu Jul 1 05:54:56 2004 PP0d 58 Thu Jul...
Page 641 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No.
Page 642 Chapter 42 System Information & Diagnosis Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 643: Call-Triggering Packet
5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol ("TCP","UDP","ICMP", "IGMP", "GRE", "ESP") rule: <a,b>...
Page 644: Diagnostic
Chapter 42 System Information & Diagnosis Figure 426 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port...
Page 645: Wan Dhcp
Figure 427 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/3G Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A 42.5.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in LAN DHCP has already been discussed.
Page 646: Table 239 System Maintenance Menu Diagnostic
Chapter 42 System Information & Diagnosis Table 239 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal PPPoE/PPTP/3G Setup Test Reboot System Host IP Address Enter the number of the selection you would like to perform or press [ESC] to cancel. DESCRIPTION Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN.
Page 647: Firmware And Configuration File Maintenance
H A P T E R Firmware and Configuration File This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 43.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.
Page 648: Backup Configuration
Chapter 43 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 649: Using The Ftp Command From The Command Line
Figure 429 Telnet into Menu 24.5 To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3.
Page 650: Gui-Based Ftp Clients
Chapter 43 Firmware and Configuration File Maintenance 43.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 241 General Commands for GUI-based FTP Clients COMMAND Host Address Login Type Transfer Type Initial Remote Directory Initial Local Directory...
Page 651: Tftp Command Example
4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Page 652: Restore Configuration
Chapter 43 Firmware and Configuration File Maintenance Figure 431 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 432 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time.
Page 653: Restore Using Ftp
FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL.
Page 654: Restore Using Ftp Session Example
Chapter 43 Firmware and Configuration File Maintenance 8 Enter “quit” to exit the ftp prompt. The ZyWALL will automatically restart after a successful restore process. 43.4.2 Restore Using FTP Session Example Figure 436 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK...
Page 655: Uploading Firmware And Configuration Files
Figure 439 Restore Configuration Example 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 440 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 43.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Page 656: Configuration File Upload
Chapter 43 Firmware and Configuration File Maintenance Figure 441 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 657: Ftp File Upload Command From The Dos Prompt Example
43.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
Page 658: Tftp Upload Command Example
Chapter 43 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
Page 659: Example Xmodem Firmware Upload Using Hyperterminal
Figure 444 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3.
Page 660: Example Xmodem Configuration Upload Using Hyperterminal
Chapter 43 Firmware and Configuration File Maintenance Figure 446 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 661: System Maintenance Menus 8 To 10
H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 44.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 662: Command Syntax
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 449 Valid Commands Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 663: Call Control Support
Table 243 Valid Commands COMMAND DESCRIPTION certificates These commands display certificate information and configure certificate settings. 8021x These commands configure 802.1x settings and display 802.1x information. radius These commands display RADIUS information and configure RADIUS settings. 44.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history.
Page 664: Call History
Chapter 44 System Maintenance Menus 8 to 10 Figure 451 Budget Management Menu 24.9.1 - Budget Management Remote Node 1.WAN_1 2.WAN_2 3.Dial The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 665: Time And Date Setting
Figure 452 Call History Menu 24.9.2 - Call History Phone Number Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 245 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing.
Page 666: Figure 453 Menu 24: System Maintenance
Chapter 44 System Maintenance Menus 8 to 10 Figure 453 Menu 24: System Maintenance 10. Time and Date Setting 11. Remote Management Setup Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.
Page 667: Table 246 Menu 24.10 System Maintenance: Time And Date Setting
The following table describes the fields in this screen. Table 246 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 668 Chapter 44 System Maintenance Menus 8 to 10 ZyWALL 2WG User’s Guide...
Page 669: Remote Management
H A P T E R This chapter covers remote management found in SMT menu 24.11. 45.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access.
Page 670: Figure 455 Menu 24.11 - Remote Management Control
Chapter 45 Remote Management Figure 455 Menu 24.11 – Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: The following table describes the fields in this screen. Table 247 Menu 24.11 – Remote Management Control FIELD DESCRIPTION Telnet Server...
Page 671: Remote Management Limitations
Table 247 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to Client authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that Certificates the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see...
Page 672 Chapter 45 Remote Management ZyWALL 2WG User’s Guide...
Page 673: Ip Policy Routing
H A P T E R This chapter covers setting and applying policies used for IP routing. 46.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 674: Ip Routing Policy Setup
Chapter 46 IP Policy Routing Table 248 Menu 25: Sample IP Routing Policy Summary (continued) FIELD Criteria/Action Select Command Select Rule When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to save your configuration, or press [ESC] at any time to cancel. Table 249 IP Routing Policy Setup ABBREVIATION Criterion...
Page 675: Figure 457 Menu 25.1: Ip Routing Policy Setup
2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 457 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1...
Page 676: Applying Policy To Packets
Chapter 46 IP Policy Routing Table 250 Menu 25.1: IP Routing Policy Setup FIELD addr start / end port start / end Action Gateway Type Gateway addr Remote Node Idx Redirect Packet Type of Service Precedence Edit policy to packets received from When you have completed this menu, press [ENTER] at the prompt "Press [ENTER] to confirm or [ESC] to cancel"...
Page 677: Ip Policy Routing Example
Figure 458 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 251 Menu 25.1.1: IP Routing Policy Setup FIELD DESCRIPTION LAN/DMZ/WLAN/...
Page 678: Figure 459 Example Of Ip Policy Routing
Chapter 46 IP Policy Routing Figure 459 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
Page 679: Figure 461 Ip Routing Policy Example 2
2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100).
Page 680 Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide...
Page 681: Call Scheduling
H A P T E R Call scheduling allows you to dictate when a remote node should be called and for how long. 47.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 682: Figure 463 Schedule Set Setup
Chapter 47 Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 683: Figure 464 Applying Schedule Set(S) To A Remote Node (Pppoe)
Table 252 Schedule Set Setup (continued) FIELD DESCRIPTION If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format.
Page 684: Figure 465 Applying Schedule Set(S) To A Remote Node (Pptp)
Chapter 47 Call Scheduling Figure 465 Applying Schedule Set(s) to a Remote Node (PPTP) Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Outgoing= PPTP: Press ENTER to Confirm or ESC to Cancel: Menu 11.1 - Remote Node Profile My Login= My Password= ******** Retype to Confirm= ********...
Page 685: Troubleshooting And Specifications
Troubleshooting and Specifications Troubleshooting (687) Product Specifications (693)
Page 687: Troubleshooting
H A P T E R This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access 48.1 Power, Hardware Connections, and LEDs The ZyWALL does not turn on.
Page 688: Zywall Access And Login
Chapter 48 Troubleshooting 48.2 ZyWALL Access and Login I forgot the LAN IP address for the ZyWALL. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
Page 689 • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address.
Page 690: Internet Access
Chapter 48 Troubleshooting See the troubleshooting suggestions for configurator. Ignore the suggestions about your browser. I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for configurator.
Page 691 I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and 2 Check the schedule rules.
Page 692 Chapter 48 Troubleshooting ZyWALL 2WG User’s Guide...
Page 693: Product Specifications
H A P T E R Product Specifications his chapter gives details about your ZyWALL’s hardware and firmware features. 49.1 General ZyWALL Specifications The following tables summarize the ZyWALL’s hardware and firmware features. Table 253 Hardware Specifications Dimensions Weight Power Specification Ethernet Interface LAN/DMZ Reset Button...
Page 694 Chapter 49 Product Specifications Table 254 Firmware Specifications FEATURE Default IP Address Default Subnet Mask Default Password Default DHCP Pool Device Management Wireless Functionality Firmware Upgrade Configuration Backup & Restoration Network Address Translation (NAT) Port Forwarding DHCP (Dynamic Host Configuration Protocol) Dynamic DNS Support IP Multicast IP Alias...
Page 695: Table 255 Feature Specifications
Table 254 Firmware Specifications FEATURE Firewall Content Filter IPSec VPN Bandwidth Management Remote Managemet Table 255 Feature Specifications FEATURE Local User Database Entries Static DHCP Table Entries Static Routes Policy Routes Concurrent Sessions (NAT sessions) Address Mapping Rules Port Forwarding Rules Configurable IPSec VPN Network Policies (including network policies in the recycle bin) Simultaneous IPSec VPN Connections...
Page 696: Compatible 3G Cards
Chapter 49 Product Specifications Table 255 Feature Specifications (continued) FEATURE User Licenses Output Power (Maximum) 49.2 Compatible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyWALL. The table also shows you the 3G features supported by the compatible 3G cards. Table 256 3G Features Supported By Compatible 3G Cards SIERRA 3G CARD...
Page 697: Card Installation
49.3 3G Card Installation Do not insert or remove a card with the ZyWALL turned on. Make sure the ZyWALL is off before inserting or removing a 3G card (to avoid damage). Slide the connector end of the card into the slot. Only use a compatible 3G card.
Page 698: Figure 466 Wall-Mounting Example
Chapter 49 Product Specifications Figure 466 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 467 Masonry Plug and M4 Tap Screw ZyWALL 2WG User’s Guide...
Page 699: Power Adaptor Specifications
49.5 Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC POWER ADAPTOR MODEL INPUT POWER OUTPUT POWER POWER CONSUMPTION SAFETY STANDARDS EUROPEAN PLUG STANDARDS AC POWER ADAPTOR MODEL INPUT POWER OUTPUT POWER POWER CONSUMPTION SAFETY STANDARDS UNITED KINGDOM PLUG STANDARDS AC POWER ADAPTOR MODEL INPUT POWER OUTPUT POWER POWER CONSUMPTION...
Page 700: Cable Pin Assignments
Chapter 49 Product Specifications CHINA PLUG STANDARDS OUTPUT POWER POWER CONSUMPTION SAFETY STANDARDS 49.6 Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port.
Page 701: Table 259 Ethernet Cable Pin Assignments
Table 258 Console Cable Pin Assignments PIN DEFINITION RJ-45 END Table 259 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through (Switch) 1 IRD + 2 IRD - 3 OTD 6 OTD - ZyWALL 2WG User’s Guide Chapter 49 Product Specifications DB-9M (MALE) Crossover...
Page 702 Chapter 49 Product Specifications ZyWALL 2WG User’s Guide...
Page 703: Appendices And Index
VIII Appendices and Index The appendices provide general information. Some details may not apply to your ZyWALL. Pop-up Windows, JavaScripts and Java Permissions (705) Setting up Your Computer’s IP Address (713) IP Addresses and Subnetting (729) Common Services (737) Wireless LANs (741) Importing Certificates (755) Legal Information (765) Customer Support (769)
Page 705: Appendix A Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Page 706: Figure 470 Internet Options: Privacy
Appendix A Pop-up Windows, JavaScripts and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 470 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Page 707: Figure 471 Internet Options: Privacy
Figure 471 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 472 Pop-up Blocker Settings ZyWALL 2WG User’s Guide Appendix A Pop-up Windows, JavaScripts and Java Permissions...
Page 708: Figure 473 Internet Options: Security
Appendix A Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 709: Figure 474 Security Settings - Java Scripting
Figure 474 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
Page 710: Figure 476 Java (Sun)
Appendix A Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 476 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here.
Page 711: Figure 477 Mozilla Firefox: Tools > Options
Appendix A Pop-up Windows, JavaScripts and Java Permissions Figure 477 Mozilla Firefox: Tools > Options Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 478 Mozilla Firefox Content Security ZyWALL 2WG User’s Guide...
Page 712 Appendix A Pop-up Windows, JavaScripts and Java Permissions ZyWALL 2WG User’s Guide...
Page 713: Appendix B Setting Up Your Computer's Ip Address
P P E N D I X Setting up Your Computer’s IP All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 714: Figure 479 Windows 95/98/Me: Network: Configuration
Appendix B Setting up Your Computer’s IP Address Figure 479 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 715: Figure 480 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 716: Figure 481 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
Appendix B Setting up Your Computer’s IP Address Figure 481 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Page 717: Figure 482 Windows Xp: Start Menu
Figure 482 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 483 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 2WG User’s Guide Appendix B Setting up Your Computer’s IP Address...
Page 718: Figure 484 Windows Xp: Control Panel: Network Connections: Properties
Appendix B Setting up Your Computer’s IP Address Figure 484 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 485 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 719: Figure 486 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Figure 486 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 720: Figure 487 Windows Xp: Advanced Tcp/Ip Properties
Appendix B Setting up Your Computer’s IP Address Figure 487 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 721: Figure 488 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Figure 488 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 722: Figure 489 Macintosh Os 8/9: Apple Menu
Appendix B Setting up Your Computer’s IP Address Figure 489 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 490 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Page 723: Figure 491 Macintosh Os X: Apple Menu
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyWALL and restart your computer (if prompted).
Page 724: Figure 492 Macintosh Os X: Network
Appendix B Setting up Your Computer’s IP Address Figure 492 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 725: Figure 493 Red Hat 9.0: Kde: Network Configuration: Devices
Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 726: Figure 495 Red Hat 9.0: Kde: Network Configuration: Dns
Appendix B Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 727: Figure 497 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Figure 497 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter = followed by the IP address (in dotted decimal notation) and type IPADDR followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.
Page 728: Figure 501 Red Hat 9.0: Checking Tcp/Ip Properties
Appendix B Setting up Your Computer’s IP Address Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 501 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet inet addr:172.23.19.129 UP BROADCAST RUNNING MULTICAST RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100...
Page 729: Appendix C Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 730: Figure 502 Network Number And Host Id
Appendix C IP Addresses and Subnetting Figure 502 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation).
Page 731: Table 261 Subnet Masks
Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 261 Subnet Masks BINARY OCTET 8-bit mask 11111111 16-bit mask 11111111 24-bit mask 11111111...
Page 732: Figure 503 Subnetting Example: Before Subnetting
Appendix C IP Addresses and Subnetting Table 263 Alternative Subnet Mask Notation (continued) SUBNET MASK 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.
Page 733: Figure 504 Subnetting Example: After Subnetting
Figure 504 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 2 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address).
Page 734: Table 265 Subnet 2
Appendix C IP Addresses and Subnetting Table 265 Subnet 2 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.64 Broadcast Address: 192.168.1.127 Table 266 Subnet 3 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.128 Broadcast Address:...
Page 735: Table 269 24-Bit Network Number Subnet Planning
Table 268 Eight Subnets (continued) SUBNET SUBNET ADDRESS Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 269 24-bit Network Number Subnet Planning NO. “BORROWED” HOST BITS The following table is a summary for subnet planning on a network with a 16-bit network number.
Page 736 Appendix C IP Addresses and Subnetting Table 270 16-bit Network Number Subnet Planning (continued) NO. “BORROWED” HOST BITS Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
Page 737: Appendix D Common Services
P P E N D I X The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 738 Appendix D Common Services Table 271 Commonly Used Services (continued) NAME H.323 HTTP HTTPS ICMP IGMP (MULTICAST) User-Defined MSN Messenger NEW-ICQ NEWS NNTP PING POP3 PPTP PPTP_TUNNEL (GRE) RCMD REAL_AUDIO REXEC RLOGIN PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 739 Table 271 Commonly Used Services (continued) NAME PROTOCOL RTELNET RTSP TCP/UDP SFTP SMTP SNMP TCP/UDP SNMP-TRAPS TCP/UDP SQL-NET TCP/UDP STRM WORKS SYSLOG TACACS TELNET TFTP VDOLIVE ZyWALL 2WG User’s Guide Appendix D Common Services PORT(S) DESCRIPTION Remote Telnet. The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
Page 740 Appendix D Common Services ZyWALL 2WG User’s Guide...
Page 741: Appendix E Wireless Lans
P P E N D I X Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 742: Figure 506 Basic Service Set
Appendix E Wireless LANs Figure 506 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 743: Figure 507 Infrastructure Wlan
Figure 507 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Page 744: Figure 508 Rts/Cts
Appendix E Wireless LANs Figure 508 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 745: Table 272 Ieee 802.11G
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver.
Page 746: Table 273 Wireless Security Levels
Appendix E Wireless LANs Wireless security methods available on the ZyWALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyWALL identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyWALL.
Page 747: Types Of Radius Messages
Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 748 Appendix E Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Page 749: Table 274 Comparison Of Eap Authentication Types
Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Page 750 Appendix E Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Page 751: Figure 509 Wpa(2) With Radius Application Example
Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built- in "Zero Configuration"...
Page 752: Figure 510 Wpa(2)-Psk Authentication
Appendix E Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys.
Page 753: Antenna Characteristics
Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 754 Appendix E Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up.
Page 755: Appendix F Importing Certificates
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Page 756: Figure 512 Login Screen
Appendix F Importing Certificates Figure 512 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 513 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 2WG User’s Guide...
Page 757: Figure 514 Certificate Import Wizard 1
Figure 514 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 515 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 2WG User’s Guide Appendix F Importing Certificates...
Page 758: Figure 516 Certificate Import Wizard 3
Appendix F Importing Certificates Figure 516 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 517 Root Certificate Store ZyWALL 2WG User’s Guide...
Page 759: Figure 518 Certificate General Information After Import
Figure 518 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 760: Figure 519 Zywall Trusted Ca Screen
Appendix F Importing Certificates Figure 519 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 761: Figure 520 Ca Certificate Example
Figure 520 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 762: Figure 522 Personal Certificate Import Wizard 2
Appendix F Importing Certificates 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 522 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 763: Figure 524 Personal Certificate Import Wizard 4
Figure 524 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 525 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Page 764: Figure 527 Access The Zywall Via Https
Appendix F Importing Certificates Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 527 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Page 766 Appendix G Legal Information This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 767: Zyxel Limited Warranty
This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com.
Page 768 Appendix G Legal Information ZyWALL 2WG User’s Guide...
Page 769: Appendix H Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com, www.europe.zyxel.com • FTP: ftp.zyxel.com, ftp.europe.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan Costa Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr •...
Page 770 Appendix H Customer Support • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • Telephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • Web: www.zyxel.dk • Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark Finland •...
Page 771 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • Telephone: +91-11-30888144 to +91-11-30888153 • Fax: +91-11-30888149, +91-11-26810715 • Web: http://www.zyxel.in • Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, India Japan •...
Page 772 Appendix H Customer Support • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • Telephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • Web: www.zyxel.no • Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland •...
Page 773 • Telephone: +44-1344-303044, 08707-555779 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • FTP: ftp.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) ZyWALL 2WG User’s Guide Appendix H Customer Support...
Page 774 Appendix H Customer Support ZyWALL 2WG User’s Guide...
Page 775: Index
Numerics introduction 3G. see third generation 9600 baud Access point See also AP. access point active protocol and encapsulation Address Assignment address assignment Advanced Encryption Standard See AES. and transport mode STUN allocated budget 550, 586 alternative subnet mask notation antenna directional gain...
Page 776 Index 349, 748 call back delay call control call history call scheduling max number of schedule sets PPPoE precedence setting up a schedule call-triggering packet certificate Certificate Authority See CA. certificates and IKE SA thumbprint algorithms thumbprints verifying fingerprints Certification Authority. See CA. certifications notices viewing...
Page 777 disclaimer IP alias setup port filter setup setup TCP/IP setup DNS Server For VPN Host DNS server address assignment DNS service domain name 511, 638 Domain Name System. See DNS. 239, 263 drop timeout DSL modem 198, 548 Dynamic DNS 436, 437 Dynamic Host Configuration Protocol.
Page 778 Index file maintenance upload firmware upload flow control fragmentation threshold 436, 453 commands file upload firmware upload GUI-based clients restoring files service gateway IP address 567, 588, 593 general setup 511, 539 Greenwich Mean Time. See GMT. Group Key Update Timer H.323 Hello BPDU hidden menus...
Page 779 local and remote network any local policy manual keys misconfiguration nail up Perfect Forward Secrecy (PFS) proposal remote policy SA life time Security Parameter Index (SPI) (manual keys) transport mode tunnel mode when IKE SA is disconnected 310, 318 IPSec SA. See also VPN. IPSec.
Page 780 Index NetBIOS NetBIOS Name Server. See NBNS. Network Address Translation. See NAT. Network Basic Input/Output System. See NetBIOS. NNTP service NTP time protocol one minute high one minute low online services center outgoing protocol filter overlap in VPN packet filtering Pairwise Master Key (PMK) 750, 752 550, 556, 586...
Page 781 HTTPS example limitations 440, 671 secure FTP using SSH secure telnet using SSH SNMP SSH implementation system timeout Telnet remote node filter 554, 589 reports host IP address 488, 489 protocol/port 488, 490 web site hits 488, 489 required fields reset button resetting the time resetting the ZyWALL...
Page 782 Index password Trap trusted host SNMP service source address 259, 278 source-based routing Spanning Tree Protocol. See STP. how SSH works implementation SSID hide SSID profile stateful inspection firewall static route static WEPkey stop bit BPDU Hello BPDU how it works Max Age port states STUN...
Page 783 Vantage CNM virtual address mapping virtual address mapping over VPN virtual interfaces vs asymmetrical routes vs triangle routes Virtual Private Network. See VPN. 184, 301 active protocol adjust TCP maximum segment size and NAT and the firewall avoiding overlap certificate established in two phases gateway policy 90, 303, 304, 312...
Page 784 Index Xmodem file upload protocol ZyNOS 638, 648 ZyWALL registration ZyXEL’s Network Operating System. See ZyNOS. ZyWALL 2WG User’s Guide...

This manual is also suitable for:

Zywall 2wg - v4.03 Zywall 2wg - v4.04

ZyXEL Communications ZyXEL ZyWALL 2WG User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Tutorial

Chapter 5 Registration

Chapter 6 LAN Screens

Chapter 7 Bridge Screens

Chapter 8 WAN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyXEL ZyWALL 2WG

Summary of Contents for ZyXEL Communications ZyXEL ZyWALL 2WG