ZyXEL Communications ZyWALL 1050 Release Note
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Firewall
  5. ZyWALL 1050
  6. Release note
ZyXEL Communications ZyWALL 1050 Release Note

ZyXEL Communications ZyWALL 1050 Release Note

Firmware release note release 2.01(xl.4)
Hide thumbs Also See for ZyWALL 1050:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Cli Reference Manual
www.zyxel.com
ZyXEL
Firmware Release Note
ZyWALL 1050
Release 2.01(XL.4)
Date: Sep 19, 2008
Author: Xin-Hong Wu
Project Leader: Peter Wang
1/142

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL 1050

Summary of Contents for ZyXEL Communications ZyWALL 1050

  • Page 1 ZyXEL Firmware Release Note ZyWALL 1050 Release 2.01(XL.4) Date: Sep 19, 2008 Author: Xin-Hong Wu Project Leader: Peter Wang 1/142...

  • Page 2: Supported Platforms

    ZyXEL ZyWALL 1050 Release 2.01(XL.4) Release Note Date: Sep 19, 2008 Supported Platforms: ZyXEL ZyWALL 1050 Versions: ZLD Version: 2.01(XL.4) | 2008-09-19 Bootbase: V1.12 | 2007-11-12 Files lists contains in the Release ZIP file File Name : 201XL4C0.bin Purpose: This binary firmware image file for normal system update.

  • Page 3: Read Me First

    Reset button during a firmware update. Refer to ZyWALL ZLD CLI Reference Guide, Section 34.8 for details. File name : firmware.xml Purpose: This file is needed by ZyXEL Centralized Network Management (CNM) 3.0 or after. Read Me First 1. The system default configuration is summarized as below: The default device administration username is “admin”, password is “1234”.
  • Page 4 7. To reset device to system default, user could press RESET button for 5 seconds and the device would reset itself to system default configuration and then reboot. Note 1: After resetting, the original configuration would be removed. It is recommended to backup the configuration before performing the operation.

  • Page 5: Known Issues

    Anti-Virus: 1. [SPR: 061218052] [Symptom] Question mark ‘?’ is a special character for ZyWALL 1050 and if it is used for white/black list in CLI mode, it may not work correctly. [Work around] Please use GUI to configure the feature.

  • Page 6: Ipsec Vpn

    IPsec VPN: 1. [SPR: 051206484] [Symptom] ZW1050 does not support DNAT over IPSec with “Many one-to-one” case. 2. [SPR: 060126368] [Symptom] VPN tunnel could not be established between ZW1050 and Fortinet products if IKE is configured as x-auth client or server.

  • Page 7: Diagnostic Tools

    L2TP over IPSec: 1. [SPR: none] [Symptom] If user upgrades to firmware version 2.00 from 1.0x, he may need to copy and paste the following configuration in CLI mode to build the required IPSec tunnel for L2TP connections. Please refer to user guide for more details about how to configure L2TP over IPSec.
  • Page 8 3. [SPR: 070719071] [Symptom] Device supports authenticating user remotely by creating AAA method which includes AAA servers (LDAP/AD/Radius). If a user uses an account which exists in 2 AAA server and supplies correct password for the latter AAA server in AAA method, the authentication result depends on what the former AAA server is.
  • Page 9 Go to ZyWALL > AppPatrol > Instant Messenger or ZyWALL > AppPatrol > Peer to Peer. This enhancement adds a note under the table, and user can click the hyperlink to connect ZyXEL official address to see support list for IM/P2P application. 4. [ENHANCEMENT] SPR ID: 080714924 Add error message when the Interface IP and Gateway IP is the same: In order to prevent user setting incorrect IP address.
  • Page 10 7. [ENHANCEMENT] Log Counter Enhancement: Add the counter to calculate the number of each log category when this log sent from kernel to user space. This is the statistic information of logging status and can help us debug when something abnormal happened.
  • Page 11 11. [BUG FIX] SPR ID: 080801119 Symptom: Device will reboot when send one specific mail content. Condition: When we send one specific mail, the device will reboot automatically without showing any crash dump or kernel message. 12. [BUG FIX] SPR ID: 080619153 Symptom: Firefox3 cannot upload configuration file.
  • Page 12 2. Enable interface wan1 and lan1 RIP and V2-Broadcast on device B. 3. Go to ZyWALL > Network > Routing > RIP and set MD5 Authentication. On device A, ID is 111, Key is abcde. On device B, ID is 222, Key is abcde.
  • Page 13 Condition: 1. Enable Anti-Virus and Anti-Spyware and add one rule that HTTP, FTP, SMTP, POP3, IMAP4 can be detected from any to any. 2. Add file pattern fi*.zip in black or white list. 3. PC in LAN side uploads file2.zip to HFS server.
  • Page 14 2. Create an SSL Application Object and the name is also OWA1 (Type is OWA and URL is http://bb.com.tw) 3. In step 2, you will find that OWA1 content is changed to your latest edited status (Type: OWA and URL is http://bb.com.tw). The original value (Type: Web Server and URL is http://aa.com.tw) is overwritten.
  • Page 15 26. [BUG FIX] SPR ID: 080519037 Symptom: The device will crash after reboot when you update IDP/ADP signature to the special version. Condition: 1. Update IDP/ADP signature to specific version and reboot. 2. The device will sometimes crash and dump some error messages.
  • Page 16 In Log setting, cannot change ZySH log of system log to “enable normal and debug logs” message. Condition: 1. In ZyWALL > Maintenance > Log > Log Setting, Click the “Active Log Summary” button 2. Log category: ZySH, select the system log to “enable normal logs and debug logs”.
  • Page 17 34. [BUG FIX] SPR ID: 080814045 Symptom: When modifying an existed address object, ZySH daemon crashed Condition: Modify existed address object, e.g. LAN_SUBNET, ZySH daemon crashed. 35. [BUG FIX] SPR ID: 080731906 Symptom: Virtual server rule cannot be display normally Condition: 1.
  • Page 18 1. System--Date/Time. Change Time Zone and set time manually. Don’t use NTP.(ex:GMT+8,00:00:00-2008/07/08) 2. Reboot. 3. The time will show GMT+8,08:00:00-2008/07/08 4. If you set another Time Zone, the device will apply the +/- hours on system time after reboot.
  • Page 19 Set DNS server as ZyWALL. PC on LAN queries FQDN of www. google.com. Sniffer FQDN packet on WAN. The transaction ID is always the same Modifications in 2.01(XL.3) - 2008/06/12 Modify for formal release. Modifications in 2.01(XL.3)b1 - 2008/06/10 1.
  • Page 20 5. [ENHANCEMENT] Symptom: Extend max number of VRRP group to be 32 Condition: Extend max number of VRRP group to be 32 6. [ENHANCEMENT] Symptom: L2TP over IPSec cannot be established if the L2TP user is behind NAT router...
  • Page 21 10. [BUG FIX] SPR ID: 080320191 Symptom: Incorrect firewall screen Condition: 1. Edit one virtual server rule 2. Click firewall link to enter firewall page 3. Firewall page will be empty 11. [BUG FIX] SPR ID: 080312666 Symptom: SIPALG fail when sip phone client is v300 or v500 Condition: 1.
  • Page 22 5. Loopback rule cannot work anymore 6. Delete Nat 1-1 and Loopback policy rule and recreate them, ZyWALL works fine. 15. [BUG FIX] SPR ID: 071011655 Symptom: Auto-generated Address objects won’t be removed after deleting VS rule Condition: 1. Create new VS rule 2.
  • Page 23 (3) Create a SSL policy named ”New_Policy2” and add SSL application ”OWA111” to this policy (4) Change URL of SSL application ”OWA111” to https://mail.zyxel.com.tw (5) After steps (1) to (4), we will find that user can not access ”OWA111”. 18. [BUG FIX] SPR ID: 080306271...
  • Page 24 TFTP client <=> ZyWALL <== IPSec Tunnel ==> ZyWALL <=> TFTP server 1. TFTP client try to get the file from TFTP server 2. But there are many”rule not found” logs at ZyWALL and TFTP client cannot get the file finally.
  • Page 25 Condition: FTP Client------WAN [ZyWALL] LAN------- FTP Server 1. Using Serv-U as server, filezilla as client. 2. Use the following config file. 3. FTP server uses virtual server to redirect the connection to real server under LAN. 4. FTP client connects to server via ZyWALL’s WAN IP. And ZyWALL will redirect the connect to LAN server.
  • Page 26 When hardware watch dog is on, the related CLI should be stored in running configuration 27. [BUG FIX] SPR ID: 080306246 Symptom: Security issue of open port 2601, 2602 and 2604 Condition: 1. Use port scan tool like Nmap to scan the open ports of device.
  • Page 27 31. [BUG FIX] SPR ID: 080417818 Symptom: Authentication failed with external authentication server while configured username is prefixed with”admin” Condition: 1. Configure an external user admin1234 2. Configure radius server 3. Add admin1234 to radius server database 4. Add group radius to default authentication method 5.
  • Page 28 When device loads system protect signature during booting or signature update, sometimes it will dump error message. This will cause that IDP/ADP/System Protect cannot work as normal. 35. [BUG FIX] SPR ID: 080215341 Symptom: NAT-T failure Condition: NAT-T failure Modifications in 2.01(XL.1) - 2008/02/22...
  • Page 29 2. Make BT connections pass through device and we found there many same logs occurred in log page [ENHANCEMENT] SPR ID: 080103066 Symptom: Check remaining disk size while doing AV signature update Condition: 1. Do AV signature update while disk usage is high 2.
  • Page 30 AD or LDAP account , and you can see the DUT’s log show ”Xauth 15. [BUG FIX] SPR ID: 070824675 Symptom: Additional space in saved ldap command would make zysh parse error Condition: 1. Issue the following commands in CLI ldap-server basedn OU=WithMail,DC=Zyxel,DC=com ldap-server binddn cn=guest,OU=WithMail,DC=Zyxel,DC=com 30/142...
  • Page 31 OU=WithMail,DC=Zyxel,DC=com ldap-server binddn cn=guest,OU=WithMail,DC=Zyxel,DC=com * there are two spaces between ”ldap- server basedn” and ”OU=WithMail,DC=Zyxel,DC=com” 3. After rebooting, there will be 3 spaces ==> eventually device will fail to apply the two commands because of limit of string length 16.
  • Page 32 3. The CLI will return ERROR: Port in use. 4. Should not report error when enter the same default port on the same protocol 20. [BUG FIX] SPR ID: 071023179 Symptom: Policy with schedule in App. Patrol cannot be moved and deleted if that policy had been moved before.
  • Page 33 When doing a [Flush Data], the statistic information is gone forever, and can no longer make visible. Thus, we suggest moving the”since ... to ...” to the Traffic View - and update the”since” date/time to the last flush, not keeping it on this data collection start.
  • Page 34 Do not check NAT loopback' d. Reboot, startup config will fail. 27. [BUG FIX] SPR ID: 071024406 Symptom: SSLVPN 50 concurrent users failed Condition: 1. When establishing 49 concurrent users (sometimes 48 users) after a while, all connections suddenly broken.
  • Page 35 3. Dial IPSec tunnel from A to B then system crashed 31. [BUG FIX] SPR ID: 071017878 Symptom: VPN-SSL problem with File-Sharing on Win2003 server Condition: find a problem to connect a File-Sharing over VPN-SSL with USG-300 on a Win2003 Server, client try to connect with a ”anonymous”...
  • Page 36 Condition: 1. Enable IDP / Firewall / NAT 2. Use IxLoad to send HTTP traffic packet size: 1460 k file: 1024k html 3. The performance test result show be about 114 Mbps but this version just about 62 Mbps 35.
  • Page 37 38. [BUG FIX] SPR ID: 080103070 Symptom: System might crash under heavy traffic Condition: Use IXIA for stress testing on device with mixed traffic After few days, device might crash 39. [BUG FIX] SPR ID: 080103071 Symptom: Sometimes system will crash during IDP/AV signature update Condition: 1.
  • Page 38 3. Ping to a host from the host with IP of A and it will match the virtual server rule we just created 4. We will get no ICMP reply and error logs like “ADP LAND Attack” will occurred 43.
  • Page 39 Quote: www.google.com: Service is unavailable 2. There is no enough log messages to debug this issue. We need to enhance log messages about real reason. 48. [BUG FIX] SPR ID: 071121398 Symptom: Registration service expiration won’t decrease day by day Condition: 1.
  • Page 40 Condition: 1. Use dialogic sip phone (HMP 3.0) 2. Caller (LAN side)-USG300-caller (WAN side) 3. Caller (WAN side)’ voice cannot pass through device 53. [BUG FIX] SPR ID: 080122107 Symptom: Can not establish SSL VPN full-tunnel successfully when authenticating client certificates is enabled on USG-300.
  • Page 41 User: klade0009 Passwd: 1234 2. PC1 try to ftp PC2 ftp 192.168.1.33 3. System crash [BUG FIX] SPR ID: 071018946 Symptom: IPsec traffic cannot pass through Condition: Use Ecard topology PC1(10.170.9.100) --- zw70-A <--- 172.23.39.0/24 --> (ge2) zw1050 (ge3, ge4) <--->...
  • Page 42 (2) Edit the policy again and disable Network Extension/ (3) Use SSL VPN login and access google will fail. (4) The function will work after reboot router. [BUG FIX] SPR ID: 071016829 Symptom: SSL VPN users are forced log-out even there are constant traffic going from user to device Condition: 1.
  • Page 43 Router(config-if-ge)# ip dhcp-pool LAN_POOL Router(config-if-ge)# Router(config)# Modifications in 2.01(XL.0)b1 - 2007/10/15 [ENHANCEMENT] Add Vantage CNM device agent which support Vantage CNM server - version 3.0.00.61.00. [ENHANCEMENT] Policy routing now is supporting auto destination for dynamic rule [ENHANCEMENT] Add NAT 1:1 and NAT loopback checkbox in Virtual Server. By enabling the checkboxs, device will create corresponding Policy Route rules automatically to make NAT 1:1 and NAT loopback work correctly.
  • Page 44 [BUG FIX] SPR ID: 070709327 Symptom: Address object reference count always increase Condition: 8. Add a address object 9. Policy route, IPSec policy and outbound SNAT can use this address object 10. Check CLI command ”show address-object”, that address object reference count are increasing 10.
  • Page 45 1. In Netherlands, customer applies his configuration file ”startup-config-nl.conf” to ZW1050. 2. However, the device hanged while uploading. 3. Please refer the attachment. 14. [BUG FIX] SPR ID: 070808594 Symptom: IPSec VPN does not function from using DDNS domain.
  • Page 46 18. [BUG FIX] SPR ID: 070829899 Symptom: SIP (P2301R) can’t connect correctly with the remote P2301R behind the ZW1050 Condition: SIP_A(P2301R)---USG300---[WAN]---ZW1050---SIP_B(P2301R) 1.When the SIP_B(P2301R) connect directly to WAN , SIP_A and SIP_B can call each other normally. 2. When the SIP_N (P2301R) connect to ZW1050 LAN side (means behind the ZW1050), SIP_A and SIP_B can call each other but the voice can NOT PASS.
  • Page 47 3. I logged out from SSL VPN later. When I arrived today at work, the serial console of the Z1050 received the following text every 10 seconds: sslvpn is dead at Fri Sep 7 10:13:27 2007 4.
  • Page 48 Condition: 1. Turn on HW & SW watchdog timer 2. Turn off HW watchdog timer 3. After the time threshold is reached, SW watchdog reboot device. 4. Device is not busy in step 3, so SW watchdog should have the resource from device.
  • Page 49 Therefore, zysh cannot use this binary file to send any gratuitous arp. 33. [BUG FIX] SPR ID: 070809774 Symptom: IPSec VPN cannot join zone Condition: 1. Create a IPSec VPN 2.
  • Page 50 Condition: 1. Create SSL VPN object and enable network extension mode. Assign pool range is 192.168.7.1~192.168.7.2 2. User A logs in as SSL VPN user successfully and get 192.168.7.1 IP 3. User B logs in as SSL VPN user 4.
  • Page 51 1. Create more than 200 tunnels and more than 200 isakmp policies 2. show isakmp policy or display tunnels at GUI, 3. It is very slow to display it. 41. [BUG FIX] SPR ID: 070831026 Symptom: Enable NAT loopback will lead the box totally lost connection Condition: 1.
  • Page 52 Symptom: System crash due to AV HTTP protocol scanning Condition: 1. enable AV HTTP protocol scanning 2. try to visit web site which support http chunk-extension 3. system crash 45. [BUG FIX] SPR ID: 070927503 Symptom: system crash due to off/on IDP continually Condition: 1.
  • Page 53 Condition: 1. A user login SSLVPN full tunnel mode. 2. When it is forced logout abnormally, the administrator can’t force it logout via eWC/System Status/Number of Login Users. 49. [BUG FIX] 070903066 Symptom: Limit additional UDP port 10000 inbound traffic failed.
  • Page 54 Symptom: Default certificate can be removed when system-default.conf applied. Condition: 1. Apply system-default.conf 2. We know some of the features (ex. https) use ”default” certificate, and it should not be able to remove it. 3. Actually, this certificate can be removed, and seems the use of the object in system- default.conf is not follow object usage rule.
  • Page 55 Symptom: SSLVPN CIFS cannot display the content of one directory correctly. Condition: 1. Create one samba directory A which needs username and password. 2. Create another directory B which needs another username and password. 3. Login SSLVPN and enter file sharing page.
  • Page 56 When user adds zone over maximum zone number, user can not edit zone information any more. Condition: 1. After added 16th zone, system will be ok. 2. Edit one of the zones, it returns the error. retval = -52011 ERROR: Zones have reached the maximum number.
  • Page 57 6. Protocol: any 7. Original port: 1234 8. Mapped port: 1234 9. Disable create policy route. 10.Disable NAT Loopback. After click ok, back to summary page, original IP shows undefined and mapped IP shows empty. 63. [BUG FIX] 070907322 Symptom: Debug dmesg prints unnecessary message.
  • Page 58 6. Click any hyperlink on left panel and GUI will not response. 7. Check the console, system dumps many debug informations and crashed. 66. [BUG FIX] 071004308 Symptom: Zyshd segmentation fault when config isamap policy local-ip <fqdn>. Condition: 1.(CLI) isakmp policy Default_L2TP_VPN_GW 2.(CLI) local-ip ip luffy.dyndns.info...
  • Page 59 System crash due to AV HTTP protocol scanning Condition: 1. enable AV HTTP protocol scanning 2. try to visit web site which support http chunk-extension 3. system crash [BUG FIX] 070927502 Symptom: System crash due to off/on IDP continually.
  • Page 60 In order to provide web access report for licensed content filter service, device needs to send web access information to ZyXEL report server. There is a new checkbox in content filter configuration page and default value is off. Administrators could use it to choose sending the information or not.
  • Page 61 [Enhancement] NAT-T HW acceleration In previous version, IPSec processing is software based when NAT-T is enabled. With this enhancement, no matter NAT-T is enabled or not, IPSec module will use hardware engine to accelerate traffic processing. [BUG FIX] 070621293...
  • Page 62 The Client Virtual Desktop Logo disappeared after upgrading firmware from b6 to b7. Condition: 1. In b6 firmware, upload a JPG file to replace default ZyXEL logo. 2. A user login SSL VPN could see the JPG picture. 3. Upgrade firmware from b6 to b7, the logo become to ZyXEL default.
  • Page 63 3. Try to create session via browse Internet. But see the session Remaining Time is 1002 minutes, it should be 10020 minutes. 20. [BUG FIX] 070424027 Symptom: Sometimes AV can fail. Condition: Sometimes download/upload infected file by HTTP protocol (port 3128/8080), DUT can not detect it 21.
  • Page 64 1. Create SSLVPN rule and Assign IP Pool is 192.168.100.1~192.168.100.2. 2. The first user login SSLVPN and get an IP address-192.168.100.1. 3. The second user login SSLVPN failed because SSL VPN gateway does not has assignable IP. Why? It has 192.168.100.2 to assign.
  • Page 65 Condition: 1. ZW1050 1.00(XL.0)c0,add a MSN rule (only "log" this protocol) 2. Upgrade firmware to 2.00(XL.0)b6 3. There is an extra default MSN rule which inbound/outbound bandwidth is "1" 4. This issue is no only MSN but also other protocols which support BWM Modifications in 2.00(XL.0)b6 - 2007/07/06...
  • Page 66 Modifications in 2.00(XL.0)b5 - 2007/06/22 [BUG FIX] 060629034 Symptom: ATA on LAN and connect to LAN port, register will fail and DUT crash. Condition: 1. SIP client is P2002 and P2302RL on LAN, SIP server is ”Asterisk v1.2.9.1” on WAN.
  • Page 67 4. Attack from LAN to DMZ,DUT can detect UDP flood attack but can not block this attack [FEATURE CHANGE] 070418766 Symptom: Suggest changing the wording of Anti-X in Traditional Chinese Condition: 1. Suggest changing the wording of Anti-X in Traditional Chinese...
  • Page 68 MIB files verified failed at this version because RAM usage always 0. Condition: 1. Compile zyxel.mib and zyxel-zyxel-ZLD-Common.mib files. 2. CPU Usage will be changed by getting values via MG-Soft. 3. RAM Usage always is 0 even if there is value on Home page of eWC.
  • Page 69 2. PQA gateway ZW1050 crashed again after 2 days 19. [BUG FIX] 070529413 Symptom: SSL VPN can disconnect when user connect over weekend Condition: 1. User connect to DUT with SSL VPN and FTP download/upload over weekend 2. Some of user disconnect on Monday Modifications in 2.00(XL.0)b4 - 2007/05/18...
  • Page 70 Symptom: Diagnostic ”Collect Now” button will pop-up more page. Condition: 1. In GUI ZyWALL 1050 > Maintenance > Diagnostic page, click every ”Collect Now” button it will pop-up more than 1 page. 2. Wish it just only pop-up one page.
  • Page 71 Condition: 1. Device can not be accessed and gets no ping response after doing AV performance test in background traffic of POP3 with 1MB ZIP file. 13. [BUG FIX] 070103111 Symptom: L2TP FTP stress causes IPSEC VPN disconnect. Condition: 1.
  • Page 72 If no, then update these to DUT. If yes, then do nothing and then the problem occurred. Cause the new file should be update but it will be ignored. 18. [BUG FIX] 070212095 Symptom: GUI wording spell wrong. Condition: Turn to System>Vantage CNM, click Advanced button, select “Device Management...
  • Page 73 1. GUI > Licensing > Update > System Protect page. 2. Click ”Update now” 3. After did successfully, the pop up windows show ”/tmp/sysinternalsig_progress at Tue Feb 13 19:12:35 2007”. It is not show correct. 23. [BUG FIX] 070214206 Symptom: After running a period time, the DUT crash and didn’t recover.
  • Page 74 Can not run SNMP over IPSEC VPN 28. [BUG FIX] 070404201 Symptom: Can not configure active directory tab in zw1050 with a username that contains spaces Condition: The following valid Bind DN in my Active Directory is not accepted by zw1050 user...
  • Page 75 Condition: The embedded Java console does not work if either https or SSH port is changed. 34. [BUG FIX] 070411489 Symptom: AV can not detect virus in some condition. Condition: 1. Setup DUT as PPPoE interface. 2. Enable AV POP3 scan from WAN to LAN.
  • Page 76 1. Setup Device HA system. 2. Configure the backup DUT sync time as 1440 minutes. 3. But it will do sync every one hour. 4. The thread in forum is ”Config Reload every NNN Minutes on Standby System” 40. [BUG FIX] 070419813 Symptom: Content filter cache TTL issue.
  • Page 77 =/~aHR0cHM6Ly9pbnF1aXJ5Lm5jY2MuY29tLnR3Lw==/~aW5kZXhjaGluZXNlLmh0b 45. [BUG FIX] 061220206 Symptom: Reverse Proxy has a error in re-writing URL. Condition: 1. We edit ”http://172.23.31.33” in web application . 2. After a remote user access the url in portal, the function works. 3. However, if we keep in accessing some pages, Reverse Proxy has a error in re-writing url.
  • Page 78 4. Attached the captured picture. Mozilla version is 1.7.13; Netscape is 8.1.2 49. [BUG FIX] 061227966 Symptom: DUT memory usage will continue increase after stress test. Condition: 1. DUT do FTP and eMule stress test several days, the memory usage reach over 90%.
  • Page 79 Symptom: Fedora core 5, Firefox 1.5.0.1, jre-1_5_0_10-linux-i586, remote client can not login to SSLVPN. Condition: 1. Remote client is Fedora core 5, Firefox 1.5.0.1, jre-1_5_0_10-linux-i586. 2. Remote client can not login to SSLVPN. 55. [BUG FIX] 070109509 Symptom: Bi-direction traffic in 5 IPSEC VPN cause traffic hang up.
  • Page 80 Condition: DUT unknown crash, just put it stay overnight and do nothing. 61. [BUG FIX] 070404212 Symptom: AV work FAIL in SMTP and POP3 Condition: 1. Setup a Mail server in DMZ port ge5. 2. Enable the any to any AV service and the EICAR check also is enabled.
  • Page 81 Spyware/Malware Sources Spyware Effects/Privacy [BUG FIX] 060616002 Symptom: DUT not check user’s password if setting blank password Condition: 1. User/Group -> User, Add a user belong to Local User type, the Username= test, Password is blank (not key-in any word).
  • Page 82 Symptom: Diagnostic tool ”Collect Now” button will pop-up more page. Condition: 1. In GUI ZyWALL 1050 > Maintenance > Diagnostic page, click”Collect Now” button it will pop-up more than 1 page. 2. Wish it just only pop-up one page. 13. [BUG FIX] 061222588...
  • Page 83 Device can not be accessed and gets no ping response after doing AV performance test in background traffic of POP3 with 1MB ZIP file. Condition: 1. Device can not be accessed and gets no ping response after doing AV performance test in background traffic of POP3 with 1MB ZIP file.
  • Page 84 19. [BUG FIX] 070108400 Symptom: IDP log always be ”alert log” Condition: 1. Add a profile for WAN to LAN 2. Disable firewall 3. Add a virtual server which forward ge2 traffic to LAN (192.168.1.33) 4. Add a IDP rule which protect WAN (ppp0) to LAN (192.168.1.0/24) , set ID=8003992 log=log, action=drop/reset-both/reset-sender/reset-receiver 5.
  • Page 85 25. [BUG FIX] 070208690 Symptom: Certificate can not be exported. Condition: 1. Create a third party sign certificate, but this certificate can not be exported. Self signed is 2. This issue will cause device HA sync function work fail.
  • Page 86 31. [BUG FIX] 070213147 Symptom: Device can not be accessed once and sometimes traffic can not be passed while doing 1000 VPN tunnels throughput test by IxVPN. Condition: 1. Create one dynamic rule for VPN 2. Device can not be accessed once and sometimes traffic can not be passed while doing 1000 VPN tunnels throughput test by IxVPN 3.
  • Page 87 1. Upgrade firmware from 2.00(XL.0)b1 to 2.00(XL.0)b2 and run 2 days. DUT crashed. 2. In debug mode, use atkz to update db file again. Zysh daemon is terminated - Segmentation fault. 3. In debug mode, use atkz to update image file again. ZySH daemon is terminated - Segmentation fault.
  • Page 88 Condition: Z70 supports 10000 sessions and default Concurrent Sessions per host is 6000. Why is per host sessions is more limited at maximum of 2048 at Z1050? Since Z1050 is a step up from Z70, it should be able to support more sessions per host (logically).
  • Page 89 Limit additional UDP port 10000 outbound traffic Condition: 1. Edit web eWC/”App. Patrol” Enable Application Patrol=enable 2. Edit web eWC/”App. Patrol”/”Other Protocol” add a rule - Port=10000 - Protocol=UDP - Outbound traffic=200kbps 3. Use tfgent to send 500kbps UDP traffic to other host port 10000, that host can receive...
  • Page 90 User Logon setting behavior not correct Condition: 1. In GUI ZyWALL 1050 > Object > User/Group > Setting page, User Logon Setting enable administration account Maximum number to 2 2. Use same PC to login DUT by admin account, then close browser directly. Then login...
  • Page 91 Then third to login by admin account will be limited. 3. It should be judged by IP address. 18. [BUG FIX] 061226891 Symptom: Ge3 ping check function issue. Condition: 1. By default, ge2 is disconnected and ge3 is connected.
  • Page 92 23. [BUG FIX] 070102057 Symptom: AV can not detect virus when download virus by HTTP Condition: 1. Make LAN side PC go out by ppp(PPPoE or PPTP or bridge) interface and AV scan WAN->LAN file 2. LAN side PC can download virus file by HTTP protocol, DUT can not detect it 24.
  • Page 93 2. The pop-up window ( when add a new profile ) title ”Please select one IDP Base Profile” should be ”Please select one ADP Base Profile” 29. [BUG FIX] 070103163 Symptom: ADP traffic anomaly scan detection action=”original setting” and flood detection action=”original setting”...
  • Page 94 34. [BUG FIX] 061219118 Symptom: App. Patrol can not block windows live messenger action Condition: 1. Make DUT all interface as a bridge 2. PC on port1 still can use windows live messenger message 35. [BUG FIX] 061219119 Symptom: App.
  • Page 95 1. Set ADP flood detection threshold = 10 2. Use Hgod attack tool to do attack and thread = 5, DUT still can detect this attack 41. [BUG FIX] 070104240 Symptom: Can’t login DUT by SSH v1. Condition: 1. eWC-> System -> SSH, enable Version 1 2.
  • Page 96 Sometimes can’t login SSLVPN. It will show”session timeout!” finally. It can’t be duplicated. Condition: 1. A PC use IE 6.0 to login SSLVPN. It can’t login SSLVPN for a long time. It will show ”session timeout!” finally. 2. IE appear an exclamation mark on right-down side.
  • Page 97 Condition: 1. Using Netscape and Mozilla to browse Linux file sharing 2. To add/delete/rename a folder but portal is no changed at once. 3. Click up and browse Linux file sharing again and the add/delete/rename action will be valid.
  • Page 98 55. [BUG FIX] 070102073 Symptom: Can’t attached file on OWA server via Firefox. Condition: 1. Edit Exchange 2003 as OWA server on DUT. 2. Using Firefox to login OWA server via SSLVPN. 3. Attached file failed. 56. [BUG FIX] 070110557 Symptom: A PC with 2 IP address or two gateways can’t login SSLVPN network extender mode.
  • Page 99 60. [BUG FIX] 070108400 Symptom: IDP log always be ”alert log” Condition: 1. Add a profile for WAN to LAN 2. Disable firewall 3. Add a vertual server which forward ge2 traffic to LAN (192.168.1.33) 4. Add a IDP rule which protect WAN (ppp0) to LAN (192.168.1.0/24) , set ID=8003992 log=log, action=drop/reset-both/reset-sender/reset-receiver 5.
  • Page 100 1. Default configuration 2. Block Yahoo messenger 8.1.0.209 audio action 3. PC on port1 still can chat by Yahoo messenger 8.1.0.209 audio 66. [BUG FIX] 060623610 Symptom: Sometimes Backup DUT’s default certificates will be lost after sync master certificates.
  • Page 101 70. [BUG FIX] 060329431 Symptom: No WINS on DHCP Server Condition: WINS should be supported in interface/DHCP server Modifications in 2.00(XL.0)b1 - 2006/12/18 [Enhancement] New feature SSL VPN is now supported. Please refer to user guide for more details.
  • Page 102 16. [BUG FIX] 061115853 Symptom: Packets could send out through wrong way Condition: 1. Setup 3 WAN interfaces.Ethernet.PPPoE.PPTP.on 3 ports WAN1 Zone=Ethernet ge2.port2. WAN2 Zone=PPPoE ppp0.port3. WAN3 Zone=PPTP ppp1.port4. LAN Zone=Ethernet ge1.port1. 2. WAN_TRUNK=WAN1.WAN2.WAN3 3. Edit WAN_TRUNK rule - Load Balancing Algorithm=Spillover - Member=ge2.200..ppp0.100..ppp1.50.
  • Page 103 Most of the AD username will in the format like xxx@company.com. Thus, ‘@’ is necessary for username. Condition: 1. Switch to ZyWALL1050 User/Group configuration page. 2. Add a new user name leo@zyxel.com.tw 3. System can not accept this username format and return a warning message. [BUG FIX] 061102083 Symptom:...
  • Page 104 <> zw70/zw35 => failed zw1050 <> softremote => failed [BUG FIX] 061020668 Symptom: Xauth client password cannot accept special characters Condition: When building a IPsec tunnel, if we set the phase 1 Xauth client password to “,;|`~!@#$%^&*()_+\{}’:./<>=-.” , authentication would fail (then XML cannot accept the special characters, such as <>).
  • Page 105 Modifications in 1.01(XL.1)b1 – 2006/10/11 1. [BUG FIX] 060830674 Symptom: Long DNS Domain Zone will cause DUT “zysh daemon is terminated”. Condition: 1. System > DNS, add a Name Server Record rule, input Domain Zone with long characters (>=235 character) and save it.
  • Page 106 7. Suggest keepalived send all IP’s gratuitous ARP including alias IP. 6. [BUG FIX] 060907317 Symptom: When user configures IPSec VPN on master device and establishes tunnels with remote ZW1050 gateway, once master device goes down remote security gateway cannot dynamically rebuild tunnels with backup device.
  • Page 107 When configuring IPSec VPN Authentication Method as Certificate user can't edit IP on Peer ID Type=IP. Condition: 1. Add a certificate called DUT1_IP. 2. Create a VPN Gateway; Edit Certificate=DUT1_IP, and Peer ID Type become to IP automatically but can’t edit Content field.
  • Page 108 2. Edit this rule, Month is appeared ”08”, and then click ”OK” will be show warning message. 14. [BUG FIX] 060908395 Symptom: IDP signature rule can not detect MS05-039 and MS06-040 attack. Condition: 1. IDP add a ”all” profile and protect WAN, and then using MS05-039 attack tool to attacking WAN PC.
  • Page 109 2. Remove ge4 from DMZ zone. 3. Add ge4 into WAN zone and enable intra-zone blocking of WAN zone. 4. In bash, use the following command to show the firewall rules: root@zw1050:/etc/zyxel# iptables -t zyfilter -nvL FORWARD |grep intra-zone 0 ZYFIRE IP Address Mask 192.168.1.1...
  • Page 110 ZYFIRE: cat firewall level notice cli_index=0 from ANY to ANY sevice others unlog mac unlog ob message intra-zone blocking on WAN REJECT 0 ZYFIRE ZYFIRE: cat firewall level notice cli_index=0 from ANY to ANY sevice others unlog mac unlog ob message intra-zone blocking on WAN REJECT 5.
  • Page 111 Symptom: 1. There is no user type information while display user profile 2. Need to show user type while displaying user profile to improve the usability Condition: 25. [EXTERNAL][ENHANCEMENT] Symptom: Support to configure DPD output idle timeout by CLI Condition: 1.
  • Page 112 Voice sometimes can not pass through. Condition: Topology: P2002---(L) ZyWALL 70(W)---Server---(W) ZyWALL 1050(L)---P2302 1. SIP Server is “VOCAL v1.50” and IP is 192.168.14. 2. ZW1050 WAN is 192.168.14.100, ATA on LAN and IP is 192.168.123.28 3. ZW70 WAN is 192.168.14.108.
  • Page 113 8. [Enhancement] Private mib support for CPU, Memory and VPN throughtput. Symptom: Private mib supports CPU, MEM usage and VPN total throughput information in SNMP. 9. [Enhancement] Diagnostic Tool support Symptom: Add Diagnostic Information Collector to collect debug information.
  • Page 114 Symptom: NTP update failed. Condition: Apply default configuration. 1. Use NTP to update system date. Go to System->Date/Time 2. Enable "Get from Time Server" and click "Synchronize Now". 3. Sometimes update process failed but there is no error displaying on GUI.
  • Page 115 There is only one virtual server rule but it appears two rules in internal ip tables 2. address-object SERVER_WAN_IP 61.1.1.1 ip virtual-server test interface ge2 original-ip SERVER_WAN_IP map-to 192.168.4.2 map-type any address-object rename SERVER_WAN_IP abc After renaming the address object used by virtual server, it may cause virtual server applying failure at the next reboot 22.
  • Page 116 2. Join all the user objects to a user group groupname harrygroup user harry0 user harry1 user harry2 user harry1023 exit zyshd would crash at exit function 29. [BUG FIX] 060823343 Symptom: Change VRRP interface on Backup device may cause Device HA Sync failed.
  • Page 117 4 ge2:2 Down 1.1.1.21 255.255.255.0 Static 5 ge2:4 Down 1.1.2.21 255.255.255.0 Static 6 ge3 Down 0.0.0.0 0.0.0.0 DHCP client 7 ge4 Down 0.0.0.0 0.0.0.0 Static 8 ge5 Down 0.0.0.0 0.0.0.0 Static 9 aux Inactive 0.0.0.0 0.0.0.0 Dynamic Modifications in 1.00(XL.1)b1 – 2006/7/7 1.
  • Page 118 1.Do not registration DUT and IDP has not licensed. 2.Edit eWC/IDP/General, enable IDP, select a ”all” profile to match WAN Zone, ”Activation”, and then ”Apply”, GUI will be show message ”IDP service is not registered. Packet Inspection feature will not be activated.”...
  • Page 119 PC1 can not search Host of PC2 via VPN tunnel even "NetBIOS broadcast over IPSec" is enabled. Condition: PC1-------ZW1050_1=======ZW1050_2-----PC2 1. VPN had been estblished successfully. 2. PC1 can not search Host of PC2 via VPN tunnel even ”NetBIOS broadcast over IPSec”...
  • Page 120 4. Go to www.kimo.com.tw from ge1 PC =>CPU usage will be100% 16. [BUG FIX] 060621262 Symptom: dhcpd is dead if change ge2 metric. Condition: 1. Change ge2's metric from 1 to 0 and apply. 2. A PC from ge1 can't get IP address.
  • Page 121 1. VPN tunnel can not be established in few hours if it authenticates by DNS certificate that signed from ZW1050 itself. 2. Suggest to show logs to figure out what if Certificate is valid or not for VPN authentication.

  • Page 122: Appendix 1. Firmware Upgrade / Downgrade Procedure

    Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to backup current configuration file. Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “200XL1C0.bin”.

  • Page 123: Appendix 2. Diagnostic Information Collector

    Appendix 2. Diagnostic Information Collector The Diagnostic Information Collector is designed to collect the configuration and diagnostic information on ZW1050. When the product is deployed in the field it is not so easy to gather all diagnostic information for developers to fix the problem at once, if a problem occurs and no matter what is the root cause of problem.
  • Page 124 After the “Collect Now” is clicked, a new collection window will pop up. This window indicates the status of the collection, and during its operation, you can feel free to switch between different configuration pages. Show collected package file information CLI command: Router >...
  • Page 125 When using the CLI command to collect information, once it is done, the package file is available on FTP, /debug directory. If using the web interface, once the action is done, the package can be downloaded from the web interface.

  • Page 126: Appendix 3. Snmpv2 Private Mibs Support

    SNMPv2 private MIBs provides user to monitor ZW1050 platform status. If user wants to use this feature, you must prepare the following step: 1. Have zw1050 mib files (zywall.mib and zyxel-zywall-ZLD-Common.mib ) and install to your MIBs application (like MIB-browser). You can see zywallZLDCommon (OLD is 1.3.6.1.4.1.890.1.6.22).

  • Page 127: Appendix 4. Virtual Server Enhancement

    Appendix 4. Virtual Server Enhancement The virtual server feature is to create NAT mapping relationship between outside IP addresses and inside IP addresses. The conventional way of using this feature consists of four steps of action: 1. Create a virtual server map setting which uses that just created virtual interface.
  • Page 128 In CLI configuration, the following two examples of commands is supported: Router(config)# ip virtual-server VR1 interface ge2 original-ip any map-to 192.168.3.2 map- type any Router(config)# show ip virtual-server virtual server: VR1 active: yes interface: ge2 original IP: any, netmask 255.255.255.255 mapped IP: 192.168.3.2...

  • Page 129: Appendix 5. Content Filter Support 60 Categories

    Appendix 5. Content Filter Support 60 Categories Introduction Content Filter is a function to help administrators manage or control the accesses of web browsing. It could classify websites into 52 categories which provide administrators a convenient and efficient way to block unwanted web materials for internal users. With evolution and diversity of the web contents nowadays, original web categories may not be able to meet the needs to classify and block websites accurately.
  • Page 130 "News/Media" "Personals/Dating" "Reference" "Open Image/Media Search" "Chat/Instant Messaging" "Email" "Blogs/Newsgroups" "Religion" "Social Networking" "Online Storage" "Remote Access Tools" "Shopping" "Auctions" "Real Estate" "Society/Lifestyle" "Sexuality/Alternative Lifestyles" "Restaurants/Dining/Food" "Sports/Recreation/Hobbies" "Travel" "Vehicles" "Humor/Jokes" "Software Downloads" "Pay to Surf" "Peer-to-Peer" "Streaming Media/MP3s" "Proxy Avoidance"...
  • Page 131 Note To provide backward compatibility, all obsolete CLI commands are allowed but ZyWALL 1050 would give warnings and try to convert it to new category. For those who use older firmware, they may experience incorrect website classification which leads to fail to block/forward certain websites. It is strongly recommended that use firmware newer than 1.01(XL.0).

  • Page 132: Appendix 6. Vrpt 3.0 Support

    Appendix 6. VRPT 3.0 Support VRPT standing for Vantage Report is used to collect logs generated by device and provide a clear and comprehensive report instead of viewing massive logs. In VRPT 3.0, ZyWALL supports the interface statistics, more detailed traffic log, and IKE logs.
  • Page 133 User can enable the IKE logs in log category by the following CLI command. Router(config)# logging system-log category ike level normal Router(config)# logging syslog 1 category ike level normal User can disable the IKE logs in log category using following CLI command.

  • Page 134: Appendix 7. Firmware Recovery

    Appendix 7. Firmware Recovery In some rare situation, ZyWALL might not boot up successfully after firmware upgrade. The following procedures are the steps to recovery the firmware to normal condition. Please connect console cable to ZyWALL. 1. Restore the Recovery Image If one of the following cases occur, you need to restore the “recovery image”...
  • Page 135 Startup message displays “Invalid Recovery Image”. The message here could be “Invalid Firmware”. However, it is equivalent to “Invalid Recovery Image”. Press any key to enter debug mode Enter atuk. The console prompts warning messages and waiting for the confirmation.
  • Page 136 The console session might display “ERROR”. Please Enter atur and use Xmodem to upload the recovery image. Use the Xmodem feature of terminal emulation software to upload the file. Wait for about 3.5 minutes until finishing Xmodem. Enter atkz –f –l 192.168.1.1 and atgo 2.
  • Page 137 Use an FTP client on your computer to connect to the ZyWALL. This example uses the ftp command in the Windows command prompt. The ZyWALL’s FTP server IP address for firmware recovery is 192.168.1.1 Log in without user name (just press enter).
  • Page 138 Note that if the process is done several time but the problem remains, please collect all the console logs and send to ZyXEL for further analysis. Refer to Step 1 “Restore the Recovery Image” and if there is similar case, the process must be performed again.

  • Page 139: Appendix 8. Flash Card Size Recovery

    Appendix 8. Flash Card Size Recovery If you are upgrading the firmware from 1.0x to 2.0x, it is possible to have flash card being recognized as 128 MB. You can use below CLI command to check the flash card size.
  • Page 140 www.zyx xel.com Append dix 9. AV False Ala If yo ou found the e possibly A the flash c card size is correctly re flash card d size reco overy proce signature updated to device due recognize ed, you need d to follow b Do system default dat...
  • Page 141 Use an FTP client on your computer to connect to the ZyWALL. This example uses the ftp command in the Windows command prompt. The ZyWALL’s FTP server IP address for database recovery is 192.168.1.1 Log in without user name (just press enter) Set the transfer mode to binary.
  • Page 142 Do AV/IDP signature update After system default data base recovery process, AV/IDP signatures will be restored to factory default. You will need to perform signature update to get latest signatures After flash card size issue and Signature issue being solved by the above two processes, the AV false alarm should be gone.

Table of Contents