ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
ZyWALL 2 and ZyWALL 2WE Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
ZyWALL 2 and ZyWALL 2WE Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
ZyWALL 2 and ZyWALL 2WE ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Figures ...xvi List of Tables ... xxiii Preface ...xxvii Overview ... I Chapter 1 Getting to Know Your ZyWALL ... 1-1 Introducing the ZyWALL 2/2WE Internet Security Gateway ...
Accessing the ZyWALL Web Configurator ...3-1 Web Configurator Navigation...3-2 Chapter 4 Introducing the SMT...4-1 Introduction to the SMT...4-1 Accessing the Console Port via the Console Port ...4-1 Navigating the SMT Interface...4-2 Changing the System Password ...4-7 Resetting the ZyWALL...4-8 Chapter 5 SMT Menu 1 - General Setup...5-1 Introduction to General Setup ...5-1 System Name ...5-1 Dynamic DNS...5-1...
Levels of Security ... 8-1 Data Encryption with WEP ... 8-2 Network Authentication ... 8-3 Local User Authentication ... 8-8 MAC Address Filtering... 8-10 Chapter 9 Internet Access ... 9-1 Introduction to Internet Access Setup ... 9-1 Ethernet Encapsulation... 9-1 PPTP Encapsulation ...
21.1 Introduction to System Status ...21-1 21.2 System Status...21-1 21.3 System Information and Console Port Speed...21-3 21.4 Log and Trace ...21-6 21.5 Diagnostic ...21-11 Chapter 22 Firmware and Configuration File Maintenance ...22-1 22.1 Filename Conventions ...22-1 22.2 Backup Configuration...22-2 22.3 Restore Configuration...22-8 22.4 Uploading Firmware and Configuration Files ...22-11...
23.1 Problems Starting Up the ZyWALL ...28-1 28.1 Problems with a LAN Interface ...28-2 28.2 Problems with the WAN Interface...28-2 28.3 Problems with Internet Access...28-3 23.2 Problems with the Password ...28-3 28.4 Problems with Remote Management ...28-3 General Appendices ... X Appendix A Setting up Your Computer’s IP Address...
ZyWALL 2 and ZyWALL 2WE Figure 12-1 How NAT Works ...12-3 Figure 12-2 NAT Application With IP Alias ...12-4 Figure 12-3 Menu 4: Applying NAT for Internet Access...12-7 Figure 12-4 Menu 11.3: Applying NAT to the Remote Node ...12-8 Figure 12-5 Menu 15: NAT Setup ...12-9 Figure 12-6 Menu 15.1: Address Mapping Sets ...12-9 Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules ...12-10 Figure 12-8 Menu 15.1.1: First Set...12-11...
ZyWALL 2 and ZyWALL 2WE Figure 19-3 Menu 21: Filter and Firewall Setup...19-4 Figure 19-4 Menu 21.1: Filter Set Configuration ...19-4 Figure 19-5 Menu 18.104.22.168: TCP/IP Filter Rule ...19-7 Figure 19-6 Executing an IP Filter...19-10 Figure 19-7 Menu 22.214.171.124: Generic Filter Rule...19-11 Figure 19-8 Telnet Filter Example ...19-13 Figure 19-9 Example Filter: Menu 126.96.36.199...19-14 Figure 19-10 Example Filter Rules Summary: Menu 21.1.3 ...19-15...
ZyWALL 2 and ZyWALL 2WE List of Tables Table 2-1 LED Descriptions... 2-2 Table 2-2 ZyWALL Wireless LAN Coverage ... 2-5 Table 4-1 Main Menu Summary ... 4-3 Table 5-1 General Setup Menu Field ... 5-2 Table 5-2 Configure Dynamic DNS Menu Fields... 5-3 Table 6-1 MAC Address Cloning in WAN Setup...
ZyWALL 2 and ZyWALL 2WE Table 27-8 Advanced ...27-16 IKE VPN Rule Setup Table 27-9 Manual ...27-21 IKE VPN Rule Setup Table 27-10 VPN SA Monitor ...27-25 Table 27-11 VPN Global Setting ...27-26 Table 27-12 Telecommuter and Headquarters Configuration Example ...27-27 Table 28-1 Troubleshooting the Start-Up of Your ZyWALL ...28-1 Table 28-2 Troubleshooting the LAN Interface ...28-2 Table 28-3 Troubleshooting the WAN interface ...28-2...
Congratulations on your purchase of the ZyWALL 2/2WE Internet Security Gateway. About This User's Manual This manual is designed to guide you through the configuration of your ZyWALL for its various applications. This manual may refer to the ZyWALL 2/2WE Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 2 and 2WEmodels.
• A single keystroke is in Arial font and enclosed in square brackets, for instance, [ENTER] means the Enter, or carriage return, key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. •...
This chapter introduces the main features and applications of the ZyWALL. Introducing the ZyWALL 2/2WE Internet Security Gateway The ZyWALL 2 and 2WE (Wireless LAN Embedded) are ideal secure gateways for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL 2/2WE is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
ZyWALL 2 and ZyWALL 2WE Auxiliary Port The ZyWALL 2 and 2WE use the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when/if ever the broadband connection to the WAN port fails.
ZyWALL 2 and ZyWALL 2WE RADIUS (RFC2138, 2139) The ZyWALL 2WE uses RADIUS (Remote Authentication Dial In User Service) to have a server handle authentication, authorization and accounting for your wireless network. IEEE 802.1x for Network Security The ZyWALL 2WE supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.
ZyWALL 2 and ZyWALL 2WE PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.
DHCP (Dynamic Host Configuration Protocol) DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has built-in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client.
ZyWALL 2 and ZyWALL 2WE Figure 1-1 Secure Internet Access and VPN Application 1.3.2 Wireless LAN Application The ZyWALL 2WE is an ideal access solution for wireless Internet connections for a small office or home environment. A typical Internet access application is shown next. Figure 1-2 ZyWALL 2WE Wireless LAN Application Getting to Know Your ZyWALL...
This chapter explains the LEDs and ports as well as how to connect the hardware. The wireless Introduction to Hardware Installation This chapter provides graphics of the front and rear panels, descriptions of the ZyWALL’s front panel LEDs and hardware connection instructions. Front Panels LEDs The LEDs on the front panel indicate the operational status of the ZyWALL.
LED Descriptions The following table describes the LED functions. The SYS and WLAN LEDs apply to the ZyWALL 2WE. STATUS Green Light on Light flashing Green Light off Green Light on Light flashing Red Light on Green light 10/100M Orange light Both lights off Light flashing Green light...
ZyWALL Rear Panels and Connections The following figure shows the rear panels of the ZyWALL. Hardware Connections This section outlines how to connect your ZyWALL. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the Hardware Installation Figure 2-3 ZyWALL 2WE Rear Panel Figure 2-4 ZyWALL 2 Rear Panel...
cable modem. Connect a DSL modem to the DSL wall jack. See the Safety Warnings and Instructions Appendix for safety instructions when making connections to the ZyWALL. 2.5.1 Connecting a Broadband Modem to the WAN Port You need a cable/DSL/wireless modem and an ISP account. Connecting the ZyWALL to a cable modem: Connect the port labeled WAN on the ZyWALL to the Ethernet port on the cable modem using the Ethernet cable that came with your cable modem.
2.5.6 Antennas The ZyWALL 2WE is equipped with two reverse SMA connectors and two detachable omni-directional 2dBi antennas to provide a clear radio signal between the wireless stations and the access points. Refer to the Antennas appendix for more information. The following table shows the ZyWALL’s coverage (in meters) using the included antennas.
Initial Setup and Configuration Part II: Initial Setup and Configuration This part covers Introducing the Web Configurator, Introducing the SMT, SMT Menu 1 General Setup, WAN Setup, LAN Setup, Wireless LAN Security and Internet Access.
Introducing the Web Configurator This chapter describes how to access and navigate the ZyWALL web configurator. Introduction to the Web Configurator The embedded web configurator is easy to navigate and use to configure the ZyWALL. The web configurator is independent of the operating system platform you use. Use the directions in this chapter in order to access and navigate the web configurator.
The ZyWALL automatically times out after five minutes of inactivity. Simply log back into the ZyWALL if this happens to you. Web Configurator Navigation Click a link on the navigation panel on the left to open a screen or a submenu. Click WIZARD SETUP for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC...
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL automatically logs you out and displays a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again. Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL.
4.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11.
MENU TITLE System Password System Maintenance Schedule Setup VPN /IPSec Setup Exit 4.3.3 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The wireless LAN SMT menus apply to the ZyWALL 2WE. Table 4-1 Main Menu Summary Change your password in this menu (recommended).
Figure 4-6 Schedule Setup and IPSec VPN Configuration SMT Menus Changing the System Password Change the default system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Step 2.
Resetting the ZyWALL If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
4.5.2 Procedure To Use The Reset Button Make sure the PWR LED (ZyWALL 2) or SYS LED (ZyWALL 2WE) is on (not blinking) before you begin this procedure. Step 1. Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts.
Menu 1 - General Setup contains administrative and system-related information. Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. Use the instructions in this chapter to configure identification and dynamic DNS for your ZyWALL. System Name System Name is for identification purposes.
To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The ZyWALL supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service. 5.3.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address...
FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 5.4.1 Configuring Dynamic DNS To configure Dynamic DNS, go to Menu 1: General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field.
Table 5-2 Configure Dynamic DNS Menu Fields FIELD DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDNS if you have a dynamic IP address(es). Select StaticDNS if you have a static IP address(s). Select CustomDNS to have dyns.org provide DNS service for a domain name that you already have from a source other than dyndns.org.
Table 5-2 Configure Dynamic DNS Menu Fields FIELD Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the host name(s) to the IP address User Specified IP specified below. Addr Only select Yes if the ZyWALL uses or is behind a static public IP address.
Introduction to WAN Setup This chapter explains how to configure settings for your WAN port. Cloning The MAC Address The MAC address field allows users to configure the WAN port's MAC address by using either the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file).
Table 6-1 MAC Address Cloning in WAN Setup FIELD MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field.
This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 – LAN Setup. LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic.
TCP/IP and LAN DHCP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 7.4.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: 1.
There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
ZyWALL 2 and ZyWALL 2WE information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 188.8.131.52 to 184.108.40.206.
Figure 7-5 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Configuration: TCP/IP Setup:...
Follow the instructions in the next table on how to configure the DHCP fields. Table 7-3 DHCP Ethernet Setup Menu Fields FIELD DHCP This field enables/disables the DHCP server. If set to Server, your ZyWALL will act as a DHCP server. If set to None, the DHCP server will be disabled.
FIELD Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Press Space Bar to Toggle. Use the instructions in the following table to configure IP Alias parameters. FIELD IP Alias Choose Yes to configure the LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
Wireless LAN This section introduces the wireless LAN and some basic configuration. Wireless LANs can be as simple as two computers with wireless network interface cards (NICs) communicating in a peer-to-peer network or as complex as a number of computers with wireless NICs communicating through access points which bridge network traffic to the wired LAN.
The RTS Threshold mechanism provides a solution to prevent these data collisions. When you enable RTS Threshold on a possible hidden station, this station and its AP will use a Request to Send/Clear to Send protocol (RTS/CTS). The station send an RTS message to the AP, informing that it is going to transmit the data.
See section 8.3 for instructions on WEP and section 8.6 for instructions on configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Table 7-6 Wireless LAN Setup Menu Fields FIELD Press [SPACE BAR] to select Yes to hide the ESSID in the outgoing Hide ESSID beacon frame so a station cannot obtain the ESSID through passive scanning. Channel ID This allows you to set the operating frequency/channel depending on your particular region.
This chapter describes the types of security you can enable on the ZyWALL. Wireless LAN is Introduction to Wireless LAN Security Wireless security is vital to your network to protect wireless communication between wireless clients, access points and other wireless. Use the web configurator to configure your ZyWALL’s wireless LAN security settings.
ZyWALL 2 and ZyWALL 2WE Data Encryption with WEP WEP encryption scrambles the data transmitted between the wireless clients and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless clients and the access points must use the same WEP key for data encryption and decryption. For wireless LAN setup, refer to section 7.7.
The following table describes the WEP related fields in this screen. For wireless LAN field descriptions refer to section 7.7. FIELD Before you enable the wireless LAN you should configure some security by setting Enable MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable Wireless upon enabling it.
• Authentication Determines the identity of the users. • Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your ZyWALL acts as a message relay between the wireless client and the network RADIUS server.
In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.
Figure 8-4 Wireless LAN 802.1X Authentication The following table describes the fields in this screen. Table 8-2 Wireless LAN 802.1X Authentication FIELD Select Force Authorized, Force UnAuthorized or Auto from the drop-down list Authentication Control box. Select Auto to authenticate all wireless clients before they can access the wired network.
The following table describes the fields in this screen. FIELD Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Select No to enable user authentication using the local user database on the ZyWALL. Server Address Enter the IP address of the external authentication server in dotted decimal notation.
FIELD Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.
The following table describes the fields in this screen. FIELD Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Click Apply to save these settings back to the ZyWALL.
The following table describes the fields in this menu. FIELD Active Use the drop down list box to enable or disable MAC address filtering. Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny Association to block access to the router, MAC addresses not listed will be Filter Action allowed to access the router.
This chapter shows you how to configure your ZyWALL for Internet access. Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Table 9-1 Menu 4: Internet Access Setup Menu Fields FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
The ZyWALL supports only one PPTP server connection at any given time. 9.3.1 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
Table 9-3 New Fields in Menu 4 (PPPoE) screen FIELD Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server. If you need a PPPoE service name to identify and reach the PPPoE server, please go to menu 11 and enter the PPPoE service name provided to you in the Service Name field.
10.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node.
ZyWALL 2 and ZyWALL 2WE 10.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. 10.3.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
FIELD Service Type Press [SPACE BAR] and then [ENTER] to select from Standard, RR-Toshiba (RoadRunner Toshiba authentication method) or RR- Manager (RoadRunner Manager authentication method). Choose one of the RoadRunner methods if your ISP is Time Warner's RoadRunner; otherwise choose Standard. Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
ZyWALL 2 and ZyWALL 2WE Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE. Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP...
Metric The metric sets the priority for the ZyWALL’s routes to the Internet. If the two routes have the same metric, the ZyWALL uses the following pre-defined priorities: 1. Normal route: designated by the ISP (see Remote Node Setup chapter) or a static route (see the IP Static Route Setup chapter) 2.
ZyWALL 2 and ZyWALL 2WE Table 10-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD Session Type the length of idle time (when there is no traffic from the ZyWALL to Options the remote node) in seconds that can elapse before the ZyWALL automatically disconnects the PPPoE connection.
Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation) My IP Addr Enter the IP address of the WAN Ethernet port. My IP Mask Enter the subnet mask of the WAN Ethernet port. Server IP Addr Enter the IP address of the ANT modem. Connection Enter the connection ID or connection name in the ANT.
ZyWALL 2 and ZyWALL 2WE Table 10-4 Remote Node Network Layer Options Menu Fields FIELD IP Address If your ISP did not assign you an explicit IP address, press [SPACE Assignment BAR] and then [ENTER] to select Dynamic; otherwise select Static and enter the IP address &...
Table 10-4 Remote Node Network Layer Options Menu Fields FIELD Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it.
ZyWALL 2 and ZyWALL 2WE Figure 10-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.6 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.
subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next.
ZyWALL 2 and ZyWALL 2WE Table 10-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature. Redirect Select Yes and press [ENTER] to configure Menu 11.6 — Traffic Redirect Setup.
FIELD Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. Gateway IP The ZyWALL automatically forwards traffic to this IP address if the Address ZyWALL’s Internet connection terminates. Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes.
ZyWALL 2 and ZyWALL 2WE Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 11.1 Introduction to Static Route Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.
ZyWALL 2 and ZyWALL 2WE 11.2 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12. 1. Figure 11-2 Menu 12: IP Static Route Setup Now, enter the index number of the static route that you want to configure.
Figure 11-3 Menu 12. 1: Edit IP Static Route `The following table describes the IP Static Route Menu fields. FIELD Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route.
ZyWALL 2 and ZyWALL 2WE FIELD Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Network Address Translation (NAT) 12.1 Introduction to NAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
ZyWALL 2 and ZyWALL 2WE NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
ZyWALL 2 and ZyWALL 2WE 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 12-2 NAT Application With IP Alias 12.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.
2. Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option). 3. Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
ZyWALL 2 and ZyWALL 2WE TYPE Server 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 12.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Figure 12-3 Menu 4: Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.
ZyWALL 2 and ZyWALL 2WE Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Multicast= None Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
will use Set 1, which supports all mapping types as outlined in Table 12-2. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only). The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set.
ZyWALL 2 and ZyWALL 2WE Set Name= SUA Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules The following table explains the fields in this screen. FIELD Set Name This is the name of the set you selected in menu 15.1 or enter the...
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Look at the differences from the previous menu.
ZyWALL 2 and ZyWALL 2WE up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.
Type= One-to-One Local IP: Start= Global IP: Start= Figure 12-9 Menu 220.127.116.11: Editing/Configuring an Individual Rule in a Set Table 12-6 Menu 18.104.22.168: Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
ZyWALL 2 and ZyWALL 2WE 12.4 NAT Server Sets – Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.
POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 12.4.1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2.
ZyWALL 2 and ZyWALL 2WE Rule --------------------------------------------------- Figure 12-10 Menu 15.2: NAT Server Setup Figure 12-11 Multiple Servers Behind NAT Example 12-16 Menu 15.2 - NAT Server Setup Start Port No. End Port No. Default Default Press ENTER to Confirm or ESC to Cancel: IP Address 0.0.0.0 192.168.1.33...
12.5 General NAT Examples The following are some examples of NAT configuration. 12.5.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 12-13 Menu 4: Internet Access &...
ZyWALL 2 and ZyWALL 2WE From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
--------------------------------------------------- Figure 12-15 Menu 15.2: Specifying an Inside Server 12.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
ZyWALL 2 and ZyWALL 2WE Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 12-17. Step 2.
Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: The following figure shows how to configure the first rule.
ZyWALL 2 and ZyWALL 2WE Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 12-19 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8.
ZyWALL 2 and ZyWALL 2WE 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
ZyWALL 2 and ZyWALL 2WE Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 12-22 Example 4: Menu 22.214.171.124: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. Set Name= Example4 Local Start IP ---------------...
the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns...
ZyWALL 2 and ZyWALL 2WE 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Table 12-8 Menu 15.3—Trigger Port Setup Description FIELD Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and gives example firewall rules and an overview of content filtering.
ZyWALL 2 and ZyWALL 2WE Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 Introduction to Firewalls Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
ZyWALL 2 and ZyWALL 2WE Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: 13.4.2 Types of DoS Attacks There are four types of DoS attacks: 1.
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. All SMTP commands are illegal except for those displayed in the following tables. AUTH DATA EHLO QUIT RCPT RSET Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.
1. The packet travels from the firewall's LAN to the WAN. 2. The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3. The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection.
ZyWALL 2 and ZyWALL 2WE These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
A similar situation exists for ICMP, except that the ZyWALL is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information.
7. Keep the firewall in a secured (locked) room. 13.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 13.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
When To Use The Firewall 1. To prevent DoS attacks and prevent hackers cracking your network. 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. 3.
Introducing the ZyWALL Firewall 14.1 Introduction to the ZyWALL Firewall The ZyWALL provides a configurable stateful inspection firewall. The firewall is also sometimes referred to as Access Control and the firewall rules are known as the ACL (Access Control List). 14.2 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
14.4.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
ZyWALL 2 and ZyWALL 2WE Chapter 15 Firewall Configuration This chapter shows you how to configure your firewall with the web configurator. 15.1 Introduction to Firewall Configuration Use the ZyWALL web configurator, to configure your firewall. Refer to the Introducing the Web Configurator chapter for details on how to access and navigate the web configurator.
15.2.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 15-2 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Rule Config screen (see Figure 16-4) When an event generates an alert, a message is immediately sent to an e-mail account specified by...
ZyWALL 2 and ZyWALL 2WE 15.3 Attack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions that do not become fully established.
When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low).
The following table describes the fields in this screen. FIELD Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See the chapter on logs for more information on logs and alerts.
FIELD One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
FIELD Blocking Time When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked. If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field (min) and all old incomplete sessions will be cleared during this period.
This chapter contains instructions for defining both Local Network and Internet rules. 16.1 Introduction to Custom Rules Firewall rules are grouped based on the direction of travel of packets to which they apply: • LAN to LAN/ZyWALL • LAN to WAN By default, the ZyWALL’s stateful packet inspection allows packets traveling in the following directions: •...
♦ Allow everyone except your competitors to access a Web server. ♦ Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator.
ZyWALL 2 and ZyWALL 2WE Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens. 16.2.3 Key Fields For Configuring Rules Action Should the action be to Block or Forward? “Block”...
16.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure.
16.4 Rule Summary Click Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Figure 16-3 Firewall Rules Summary: First Screen The following table describes the fields in the firewall summary screen.
Table 16-1 Firewall Rules Summary: First Screen FIELD Bypass Triangle Select this check box to have the ZyWALL firewall ignore the use of triangle route Route topology on the network. See the appendices for more on triangle route topology. Total Configured This read-only number is the total number of rules that have been configured for the Rules ZyWALL (the combined total for all packet directions).
Table 16-1 Firewall Rules Summary: First Screen FIELD This field shows you if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.
SERVICE BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67) SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) FINGER(TCP:79) FTP(TCP:20.21) H.323(TCP:1720) HTTP(TCP:80) HTTPS(TCP:443) ICQ(UDP:4000) IKE(UDP:500) IPSEC_TUNNEL(AH:0) IPSEC_TUNNEL(ESP:0) IRC(TCP/UDP:6667) Messenger(TCP:1863) MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) 16-8 Table 16-2 Predefined Services DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
SERVICE STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 16.5.1 Creating/Editing Firewall Rules Follow these directions to create a new rule. Step 1. In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Creating/Editing A Firewall Rule FIELD Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it Packet Direction Use the drop-down list box to select the direction of packet travel to which you want to apply this firewall rule.
FIELD Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses. Destination Click DestAdd to add a new address, DestEdit to edit an Address existing one or DestDelete to delete one.
16.5.2 Source and Destination Addresses To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen.
Table 16-4 Adding/Editing Source and Destination Addresses FIELD Subnet Mask Enter the subnet mask here, if applicable. When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.6 Custom Ports Configure customized ports for services not predefined by the ZyWALL (see section 16.5 for a list of predefined services).
The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of...
ZyWALL 2 and ZyWALL 2WE Step 3. Click Insert to display the firewall rule configuration screen. Select WAN to LAN from the drop-down list box. Figure 16-7 Firewall Rule Configuration Screen Example Step 4. Click Any in the Source Address box and then click ScrDelete. Step 5.
Figure 16-8 Firewall IP Config Screen Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply. Creating Custom Rules ZyWALL 2 and ZyWALL 2WE 16-17...
Step 7. The firewall rule configuration screen displays, use the arrows between Available Services and Selected Services to configure it as follows. Click Apply when you are done. Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box.
This is the address range of the “MyService” servers. Figure 16-10 Rule Configuration Example Creating Custom Rules Click Apply when finished. ZyWALL 2 and ZyWALL 2WE This is your “MyService” custom port. 16-19...
ZyWALL 2 and ZyWALL 2WE Step 8. On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “MyService”...
ZyWALL 2 and ZyWALL 2WE Chapter 17 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator. 17.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.
ZyWALL 2 and ZyWALL 2WE LABEL Restrict Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. 17-2 Figure 17-1Content Filter Table 17-1 Content Filter DESCRIPTION Content Filtering...
LABEL A tool for building dynamic and active Web pages and distributed object applications. When ActiveX you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. A programming language and development environment for building downloadable Web Java components or Internet and intranet business applications of all kinds.
ZyWALL 2 and ZyWALL 2WE LABEL Enter the time period, in 24-hour format, during which content filtering will be enforced. Select Time of Day to the All Day check box to have content filtering always active on the days selected in Day to Block Block with time of day limitations not enforced.
Logs, Filter Configuration, and SNMP Configuration Part V: Logs, Filter Configuration, and SNMP Configuration This part provides information and configuration instructions for the logs, filters, and SNMP.
ZyWALL 2 and ZyWALL 2WE Chapter 18 Centralized Logs This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendices for example log message explanations and how to view the logs via the SMT command interpreter interface. 18.1 Introduction to Centralized Logs You can select which logs you want the ZyWALL to record and which alerts you want the ZyWALL to send.
ZyWALL 2 and ZyWALL 2WE Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. LABEL Display The categories that you select in the Log Settings page (see section 18.3) display in the...
LABEL Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet. Notes This field displays additional information about the log entry.
LABEL Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.
ZyWALL 2 and ZyWALL 2WE LABEL Day for Sending Log Use the drop down list box to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.
The web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may contain references to other web sites that also The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate.
ZyWALL 2 and ZyWALL 2WE LABEL Report Type Use the drop-down list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports.
Figure 18-4 Web Site Hits Report Example LABEL Web Site This column lists the domain names of the web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first.
ZyWALL 2 and ZyWALL 2WE Figure 18-5 Protocol/Port Report Example LABEL Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
18.4.3 LAN IP Address In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
ZyWALL 2 and ZyWALL 2WE 18.4.4 Reports Specifications The following table lists detailed specifications on the reports feature. LABEL Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Bytes count limit: 18-12 Table 18-7 Reports Specifications Up to 2 hits can be counted per web site.
ZyWALL 2 and ZyWALL 2WE Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
ZyWALL 2 and ZyWALL 2WE Outgoing Data Packet Match Drop packet Figure 19-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. 19.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules.
Fetch Next Filter Set Next Filter Set Available? Drop Packet Filter Configuration Filter Set Fetch Next Filter Rule Next filter Rule Available? Check Next Rule Figure 19-2 Filter Rule Process ZyWALL 2 and ZyWALL 2WE Start Packet into filter Fetch First Filter Set Fetch First Filter Rule...
ZyWALL 2 and ZyWALL 2WE You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 19.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.
Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.
ZyWALL 2 and ZyWALL 2WE ABBREVIATION Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary and press [ENTER] to open menu 21.1.x.x for the rule.
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next. Press Space Bar to Toggle. Figure 19-5 Menu 126.96.36.199: TCP/IP Filter Rule The following table describes how to configure your TCP/IP filter rule. Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Active...
ZyWALL 2 and ZyWALL 2WE Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Enter the IP mask to apply to the Destination: IP Addr. IP Mask Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535.
Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
ZyWALL 2 and ZyWALL 2WE Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched...
19.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
ZyWALL 2 and ZyWALL 2WE Table 19-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different.
19.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.
ZyWALL 2 and ZyWALL 2WE Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Menu 188.8.131.52 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes...
Menu 21.1.3 - Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
ZyWALL 2 and ZyWALL 2WE 19.4 Filter Types and SUA/NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.
19.6 Applying a Filter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
ZyWALL 2 and ZyWALL 2WE Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 Introduction to SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
ZyWALL 2 and ZyWALL 2WE Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
ZyWALL 2 and ZyWALL 2WE Table 20-1 SNMP Configuration Menu Fields FIELD Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address.
System Information and Diagnosis and Firmware and Configuration File Maintenance Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part provides information on system information and diagnosis and maintaining the firmware and configuration files.
This chapter covers SMT menus 24.1 to 24.4. Wireless LAN applies to the ZyWALL 2WE. 21.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
ZyWALL 2 and ZyWALL 2WE monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance. Step 2.
Table 21-1 System Maintenance: Status Menu Fields FIELD TxPkts The number of transmitted packets on this port. RxPkts The number of received packets on this port. Cols The number of collisions on this port. Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port.
ZyWALL 2 and ZyWALL 2WE Figure 21-3 Menu 24.2: System Information and Console Port Speed 21.3.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Menu 24.2.1 - System Maintenance - Information Figure 21-4 Menu 24.2.1: System Maintenance: Information 21-4...
Table 21-2 Fields in System Maintenance: Information FIELD Name Routing ZyNOS F/W Version Ethernet Address IP Address IP Mask DHCP When finished viewing, press [ESC] or [ENTER] to exit. 21.3.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port.
ZyWALL 2 and ZyWALL 2WE 21.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 21.4.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log.
ZyWALL 2 and ZyWALL 2WE You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 21-3 System Maintenance Menu Syslog Parameters PARAMETER UNIX Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog IP Address Enter the IP Address of the server that will log the CDR (Call Detail Record) and system messages i.e., the syslog server.
IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size...
ZyWALL 2 and ZyWALL 2WE Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 21-10 Menu 24.4: System Maintenance: Diagnostic 21.5.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 21-11. LAN DHCP has already been discussed.
The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= Enter the number of the selection you would like to perform or press [ESC] to cancel.
ZyWALL 2 and ZyWALL 2WE Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
ZyWALL 2 and ZyWALL 2WE local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
22.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
ZyWALL 2 and ZyWALL 2WE 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service. 4.
ZyWALL 2 and ZyWALL 2WE 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get” transfers the file source on the ZyWALL (rom-0, name of the configuration file on the ZyWALL) to the file destination on the computer and renames it config.rom.
Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 22-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Figure 22-4 System Maintenance: Starting Xmodem Download Screen Step 3.
ZyWALL 2 and ZyWALL 2WE 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
ZyWALL 2 and ZyWALL 2WE 22.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 22-8 Restore Using FTP Session Example Refer to section 22.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Figure 22-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 22-12 Successful Restoration Confirmation Screen 22.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
ZyWALL 2 and ZyWALL 2WE When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1.
Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
ZyWALL 2 and ZyWALL 2WE Step 7. Enter “quit” to exit the ftp prompt. 22.4.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put firmware.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK...
Step 4. Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. Step 5. Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.
ZyWALL 2 and ZyWALL 2WE Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal.
22.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1.
ZyWALL 2 and ZyWALL 2WE After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. 22-18 Figure 22-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.
System Maintenance and Information and Remote Management Part VII: System Maintenance and Information and Remote Management This part provides information on the system maintenance and information functions and how to configure remote management.
System Maintenance & Information 23.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
ZyWALL 2 and ZyWALL 2WE Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Remote Node 1.ChangeMe The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
ZyWALL 2 and ZyWALL 2WE 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
23.3 Time and Date Setting The ZyWALL has a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL. Menu 24.10 allows you to update the time and date settings of your ZyWALL.
ZyWALL 2 and ZyWALL 2WE FIELD Use Time Server Enter the time service protocol that your timeserver sends when you turn on the when Bootup ZyWALL. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.
ZyWALL 2 and ZyWALL 2WE Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
ZyWALL 2 and ZyWALL 2WE 24.3 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. 24.4 Web You can use the ZyWALL’s embedded web configurator for configuration and file management.
LAN only, When you Choose WAN only or ALL (LAN & WAN), you still need to configure a To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. TELNET Server: FTP Server: Web Server:...
ZyWALL 2 and ZyWALL 2WE Table 24-1 Menu 24.11 – Remote Management Control FIELD Secured Client The default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
ZyWALL 2 and ZyWALL 2WE 24.9 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Call scheduling allows you to dictate when a remote node should be called and for how long. 25.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
ZyWALL 2 and ZyWALL 2WE and 4 as the ZyWALL, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. To delete a schedule set, enter the set number and press [SPACE BAR] and then To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
FIELD Should this schedule set recur weekly or be used just once only? Press Often [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.
ZyWALL 2 and ZyWALL 2WE Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Retype to Confirm= ******* Authen= CHAP/PAP Press Space Bar to Toggle. Figure 25-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name=N/A Outgoing= My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP : My IP Addr= My IP Mask= Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 25-4 Applying Schedule Set(s) to a Remote Node (PPTP) Call Scheduling Menu 11.1 - Remote Node Profile...
26.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
ZyWALL 2 and ZyWALL 2WE Figure 26-3 IPSec Architecture 26.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
26.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 26-4 Transport and Tunnel Mode IPSec Encapsulation 26.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
This chapter introduces the VPN web configurator screens. See the Logs chapter and the 27.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 27.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
ZyWALL 2 and ZyWALL 2WE The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 27.5 Summary Screen The following figure helps explain the main fields in the web configurator. Figure 27-1 IPSec Summary Fields Local and remote IP addresses must be static.
LABEL This field displays the VPN rule number. Y signifies that this VPN rule is active. Active This field displays the IP address of the computer using the VPN IPSec feature of your Local Addr. ZyWALL. This field displays IP address (in a range) of computers on the remote network behind the Remote Addr.
When there is outbound traffic with no inbound traffic, the ZyWALL automatically 27.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. Figure 27-3 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet.
addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP addresses (see section 27.16.2 for a telecommuter configuration example). With main mode (see section 27.10.1), the ID type and content are encrypted to provide identity protection. In this case the ZyWALL can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
27.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyWALLs in this example can complete negotiation and establish a VPN tunnel. Table 27-5 Matching ID Type and Content Configuration Example ZYWALL A Local ID type: E-mail Local ID content: email@example.com...
LABEL Select this check box to activate this VPN tunnel. This option determines whether a Active VPN rule is applied before a packet leaves the firewall. 27-8 Figure 27-4 Basic IKE VPN Rule Setup Table 27-7 Basic IKE VPN Rule Setup DESCRIPTION VPN/IPSec Setup...
LABEL Select this check box to turn on the keep alive feature for this SA. Turn on keep alive to have the ZyWALL automatically reinitiate the SA after the SA Keep Alive lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
LABEL Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as My IP Address 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Select IP to identify this ZyWALL by its IP address.
LABEL When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Secure Gateway field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.
LABEL Select DES, 3DES or NULL from the drop-down list box. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out.
27.10.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.
LABEL Active Select this check box to activate this VPN/IPSec policy. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA Keep Alive lifetime times out, even if there is no traffic.
LABEL Enter a port number in this field to define a port range. This port number must be Local Port End greater than that specified in the previous field (or equal to it for configuring an individual port). Enter the beginning (static) IP address, in a range of computers behind the remote Remote Address secure gateway.
LABEL Type the WAN IP address or the URL (up to 31 characters) of the remote secure Secure Gateway gateway with which you're making the VPN connection. Set this field to 0.0.0.0 if the Address remote secure gateway has a dynamic WAN IP address (the Key Management field must be set to IKE).
LABEL Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases SA Life Time security by forcing the two VPN gateways to update the encryption and authentication keys.
LABEL Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 Authentication (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The Algorithm SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
ZyWALL 2 and ZyWALL 2WE Select Manual in the Key Management field to display the manual VPN rule setup screen. Figure 27-7 Manual IKE VPN Rule Setup Table 27-9 Manual IKE VPN Rule Setup LABEL DESCRIPTION Active Select this check box to activate this VPN/IPSec policy. VPN/IPSec Setup 27-21...
LABEL Select IKE or Manual from the drop-down list box. IKE is the preferred choice as the key is generated automatically; Manual is useful for troubleshooting. IPSec Keying Mode Make sure the remote gateway has the same configuration in this field. Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc.
LABEL Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current WAN IP My IP Address address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Type the WAN IP address or the URL (up to 31 characters) of the remote secure Secure Gateway IP gateway with which you're making the VPN connection.
LABEL Select SHA1 or MD5 from the drop-down list box. The ZyWALL's authentication algorithm should be identical to the secure remote gateway. MD5 (Message Digest 5) Authentication and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate the Algorithm source and integrity of packet data.
LABEL This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. This field displays the security protocols used for an SA. IPSec Algorithm Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
LABEL Next Page Click Next Page to view more items in the summary (if you have a summary list that (if applicable) exceeds this page) 27.15 Global Settings In the web configurator, click VPN on the navigation panel and the Global Setting tab. Use this screen to allow or block NetBIOS packets in the IPSec tunnels.
27.16 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters from remote IPSec routers that use dynamic WAN IP addresses. 27.16.1 Telecommuters Sharing One VPN Rule Example Multiple telecommuters can use one VPN rule to simultaneously access a ZyWALL at headquarters. They must all use the same IPSec parameters (including the pre-shared key) but the local IP addresses (or ranges of addresses) cannot overlap.
ZyWALL 2 and ZyWALL 2WE Figure 27-10 Telecommuters Sharing One VPN Rule Example 27.16.2 Telecommuters Using Unique VPN Rules Example With aggressive negotiation mode (see section 27.10.1), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters.
This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see the 23.1 Problems Starting Up the ZyWALL Table 28-1 Troubleshooting the Start-Up of Your ZyWALL PROBLEM None of the Make sure that you have the included power adaptor or cord connected to the ZyWALL...
28.1 Problems with a LAN Interface Table 28-2 Troubleshooting the LAN Interface PROBLEM Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions. from the LAN. Make sure your Ethernet card is installed and functioning properly. Cannot ping Check the 10M/100M LAN LEDs on the front panel.
28.3 Problems with Internet Access Table 28-4 Troubleshooting Internet Access PROBLEM Cannot Connect your cable/DSL modem with the ZyWALL using appropriate cable. access the Check with the manufacturer of your cable/DSL device about your cable requirement Internet. because some devices may require crossover cable and others a regular straight- through cable.
General Appendices Part X: General Appendices This part provides background information about setting up your computer’s IP address, antennas, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting and safety warnings.
ZyWALL 2 and ZyWALL 2WE Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
2. The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Click the IP Address tab. -To have your computer assigned a dynamic IP address, select Obtain an IP address automatically. -To give your computer a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
ZyWALL 2 and ZyWALL 2WE Select your network adapter. You should see your computer's (static) IP address, subnet mask and default gateway in this screen. Verify that your computer’s static IP address is in the correct subnet (192.168.1.2 to 192.168.1.254 if using the default ZyWALL LAN IP address).
Windows 2000/NT/XP In Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. In Windows XP, click Network Connections. In Windows 2000/NT, click Network and Dial-up Connections. Right-click Local Area Connection and then click Properties. Setting Up Your Computer’s IP Address...
ZyWALL 2 and ZyWALL 2WE The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a dynamic IP address, click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
ZyWALL 2 and ZyWALL 2WE -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Setting Up Your Computer’s IP Address ZyWALL 2 and ZyWALL 2WE...
For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box.
Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
This appendix provides information about antenna selection and positioning. The access points in a wireless LAN send a radio frequency (RF) signal to the antennas, which propagate and capture the RF signal. Choosing the right antennas and positioning them properly increases the range and coverage area of a wireless LAN.
• Directional antennas concentrate the RF signal in a beam, like a flashlight. The angle of the beam width determines the direction of the coverage pattern; typically ranges from 20 degrees (less directional) to 90 degrees (very directional). The directional antennas are ideal for hallways and outdoor point-to-point applications.
The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...
The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
ZyWALL 2 and ZyWALL 2WE Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
ZyWALL 2 and ZyWALL 2WE Appendix D The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram D-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
ZyWALL 2 and ZyWALL 2WE The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
ZyWALL 2 and ZyWALL 2WE Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
ZyWALL 2 and ZyWALL 2WE Appendix F Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
ZyWALL 2 and ZyWALL 2WE • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
ZyWALL 2 and ZyWALL 2WE How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ZyWALL 2 and ZyWALL 2WE Appendix H PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
ZyWALL 2 and ZyWALL 2WE PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
ZyWALL 2 and ZyWALL 2WE Diagram H-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
Power Specification MTBF Operation Temperature Ethernet Specification for Ethernet Specification for LAN/ VPN Ports Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port.
Power Adaptor Specifications Chart I-4 North American AC Power Adaptor Specifications AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W...
ZyWALL 2 and ZyWALL 2WE Chart I-5 European Union AC Power Adaptor Specifications Safety standards: TUV, CE (EN 60950) Chart I-6 UK AC Power Adaptor Specifications AC Power Adapter model AD-1201200DK Input power: AC230Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: United Kingdom standards Safety standards: TUV, CE (EN 60950, BS7002) Chart I-7 Japan AC Power Adaptor Specifications...
What is Universal Plug and Play? Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer- to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
ZyWALL 2 and ZyWALL 2WE Are there any cautions about UPnP? The automated nature of NAT Traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
LABEL Enable the Universal Select this checkbox to activate UPnP. Plug and Play (UPnP) Be aware that anyone could use a UPnP application to open the web configurator's feature login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator).
Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4.
Components Wizard window displays. Step 4. Select Networking Service in the Components selection box and click Details. Step 5. In the Networking Services window, select the Universal Plug and Play check box. Step 6. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. UPnP ZyWALL 2 and ZyWALL 2WE Step 4.
When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. Step 6. Double-click the icon to display your current Internet connection status.
Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke.
IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
ZyWALL 2 and ZyWALL 2WE A class “B” address (16 host bits) can have 2 A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.128 Broadcast Address: 192.168.1.191 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet.
SUBNET SUBNET ADDRESS The following table is a summary for class “C” subnet planning. NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
ZyWALL 2 and ZyWALL 2WE Appendix M Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
NAME LAN to WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN. WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.
sys filter netbios config 1 off Command: This command forwards WAN to LAN NetBIOS packets Command: sys filter netbios config 6 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 7 off This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands ZyWALL 2 and ZyWALL 2WE...
The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATLC firmware) and...
just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login Successfully SMT Login Fail WEB Login Successfully WEB Login Fail TELNET Login Successfully...
TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP Log Descriptions Chart Q-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
LOG MESSAGE attack IGMP attack ESP attack GRE attack OSPF attack ICMP (type:%d, code:%d) land TCP land UDP land IGMP land ESP land GRE land OSPF land ICMP (type:%d, code:%d) ip spoofing - WAN TCP ip spoofing - WAN UDP ip spoofing - WAN IGMP ip spoofing - WAN ESP...
LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...
ZyWALL 2 and ZyWALL 2WE LOG MESSAGE Firewall sent TCP reset packets Packet without a NAT table entry blocked Out of order TCP handshake packet blocked Drop unsupported/out- of-order ICMP Router sent ICMP response packet (type:%d, code:%d) ACL SET DIRECTION NUMBER LAN to WAN WAN to LAN...
TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
ZyWALL 2 and ZyWALL 2WE TYPE CODE Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message LOG MESSAGE Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" VPN/IPSec logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next.
Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Diagram Q-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer.
A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol>...
Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Invalid IP <IP start>/<IP end> !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type...
Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info The following table shows sample log messages during packet transmission. Chart Q-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find IPSec SA !! Cannot find outbound SA for rule <%d>...
The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart Q-12 RFC-2408 ISAKMP Payload Types LOG DISPLAY PROP TRANS CER_REQ HASH NONCE NOTFY Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands).
Chart Q-13 Log Categories and Available Settings LOG CATEGORIES attack error ipsec javablocked mten upnp urlblocked urlforward to not record logs for that category, alerts for that category, and Use the sys logs save command to store the settings in the ZyWALL (you must do this in order to record logs).
Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart R-1 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0...
Canada ...iv Caution...iv Central Network Management... 1-4 Certifications ... iii Changing the Password... 4-7 Channel ID... 7-13 CHAP ... 10-5 Classes of IP Addresses ...45 Clear to Send protocol ... 7-11 CLI Commands...58 Cloning the MAC address... 6-1 COM port... See Connecting the Console Port COM1 ...
DIAL BACKUP... 33 Direct Sequence Spread Spectrum ... 21 Disclaimer ... ii Distribution System... 22 DNS ...5-1, 7-2, 24-2 Primary Server ... 7-7 Secondary Server ... 7-7 Server Address ... 7-2 Domain Name ...5-1, 12-14, 21-5 Basics ... 13-3 Types... 13-4 DoS (Denial of Service)...
Destination IP Address ... 11-3 IP Subnet Mask... 11-3 Name... 11-3 Route Number... 11-3 IP Subnet Mask... 7-9 IPSec VPN Capability ... 1-2 ISP’s Name ... 9-1 Key Fields For Configuring Rules... 16-3 LAN 10/100M ... 2-4 LAN Defaults ... 7-2 LAN IP Address ...