• Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Syntax Conventions • The ZyWALL 2 Plus may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5
Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 2 Plus User’s Guide...
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. This product is recyclable. Dispose of it properly. ZyWALL 2 Plus User’s Guide...
DNS ............................343 Remote Management ......................355 UPnP ............................377 ALG Screen ..........................387 Logs and Maintenance ......................393 Logs Screens ........................... 395 Maintenance ..........................427 SMT and Troubleshooting ....................443 Introducing the SMT ........................ 445 ZyWALL 2 Plus User’s Guide...
Page 8
System Information & Diagnosis ..................... 537 Firmware and Configuration File Maintenance ................ 549 System Maintenance Menus 8 to 10 ..................563 Remote Management ......................571 Call Scheduling ........................575 Troubleshooting ........................579 Appendices and Index ......................587 ZyWALL 2 Plus User’s Guide...
2.4 Navigating the ZyWALL Web Configurator ................52 2.4.1 Title Bar ........................52 2.4.2 Main Window ......................53 2.4.3 HOME Screen: Router Mode ................. 53 2.4.4 HOME Screen: Bridge Mode ..................55 2.4.5 Navigation Panel ......................58 ZyWALL 2 Plus User’s Guide...
Page 10
4.4 How to Manage the ZyWALL’s Bandwidth ................110 4.4.1 Example Parameters and Scenario ................111 4.4.2 Configuring Bandwidth Management Rules ..............111 Chapter 5 Registration ........................... 117 5.1 myZyXEL.com overview .....................117 5.1.1 Content Filtering Subscription Service ..............117 5.2 Registration ........................118 5.3 Service ..........................119 ZyWALL 2 Plus User’s Guide...
Page 12
11.6 Asymmetrical Routes ....................... 190 11.6.1 Asymmetrical Routes and IP Alias ................. 190 11.7 Firewall Default Rule (Router Mode) ................191 11.8 Firewall Default Rule (Bridge Mode) ................193 11.9 Firewall Rule Summary ....................194 ZyWALL 2 Plus User’s Guide...
Page 13
14.4 Additional IPSec VPN Topics ................... 243 14.4.1 SA Life Time ......................243 14.4.2 IPSec High Availability ................... 244 14.4.3 Encryption and Authentication Algorithms ............. 245 14.5 VPN Rules (IKE) Gateway Policy Edit ................245 ZyWALL 2 Plus User’s Guide...
Page 14
15.8 My Certificate Import ..................... 283 15.8.1 Certificate File Formats ..................284 15.9 My Certificate Create ..................... 285 15.10 Trusted CAs ......................... 288 15.11 Trusted CA Details ......................289 15.12 Trusted CA Import ....................... 292 ZyWALL 2 Plus User’s Guide...
Page 15
17.5.2 Port Forwarding: Services and Port Numbers ............318 17.5.3 Configuring Servers Behind Port Forwarding (Example) ........318 17.5.4 Port Translation ...................... 319 17.6 Port Forwarding Screen ....................320 17.7 Port Triggering ....................... 321 Chapter 18 Static Route ........................... 325 ZyWALL 2 Plus User’s Guide...
Page 16
20.6 System Screen ........................ 345 20.6.1 Adding an Address Record .................. 346 20.6.2 Inserting a Name Server Record ................347 20.7 DNS Cache ........................349 20.8 Configure DNS Cache ..................... 349 20.9 Configuring DNS DHCP ....................350 ZyWALL 2 Plus User’s Guide...
Page 17
22.1 Universal Plug and Play Overview ................377 22.1.1 How Do I Know If I'm Using UPnP? ............... 377 22.1.2 NAT Traversal ......................377 22.1.3 Cautions with UPnP ....................377 22.1.4 UPnP and ZyXEL ....................378 ZyWALL 2 Plus User’s Guide...
Page 18
24.4.1 Viewing Web Site Hits .................... 403 24.4.2 Viewing Host IP Address ..................403 24.4.3 Viewing Protocol/Port ..................... 404 24.4.4 System Reports Specifications ................406 24.5 Log Descriptions ......................406 24.6 Syslog Logs ........................424 ZyWALL 2 Plus User’s Guide...
Page 19
26.5 Resetting the ZyWALL ..................... 451 Chapter 27 SMT Menu 1 - General Setup ....................453 27.1 Introduction to General Setup ..................453 27.2 Configuring General Setup ....................453 27.2.1 Configuring Dynamic DNS ..................454 ZyWALL 2 Plus User’s Guide...
Page 20
31.3 TCP/IP Setup ........................480 31.3.1 IP Address ......................480 31.3.2 IP Alias Setup ......................481 Chapter 32 Wireless Setup ........................483 32.1 TCP/IP Setup ........................483 32.1.1 IP Address ......................483 32.1.2 IP Alias Setup ......................484 ZyWALL 2 Plus User’s Guide...
Page 21
36.1.1 Activating the Firewall .................... 517 Chapter 37 Filter Configuration....................... 519 37.1 Introduction to Filters ....................... 519 37.1.1 The Filter Structure of the ZyWALL ................ 520 37.2 Configuring a Filter Set ....................522 37.2.1 Configuring a Filter Rule ..................524 ZyWALL 2 Plus User’s Guide...
Page 22
40.3.3 Example of FTP Commands from the Command Line .......... 552 40.3.4 GUI-based FTP Clients ..................552 40.3.5 File Maintenance Over WAN .................. 552 40.3.6 Backup Configuration Using TFTP ................. 553 40.3.7 TFTP Command Example ..................553 ZyWALL 2 Plus User’s Guide...
Page 23
Call Scheduling ........................575 43.1 Introduction to Call Scheduling ..................575 Chapter 44 Troubleshooting........................579 44.1 Power, Hardware Connections, and LEDs ..............579 44.2 ZyWALL Access and Login ....................580 44.3 Internet Access ........................ 582 ZyWALL 2 Plus User’s Guide...
Page 24
Appendix I NetBIOS Filter Commands ................. 653 Appendix J Certificates Commands ..................655 Appendix K Brute-Force Password Guessing Protection............. 659 Appendix L Boot Commands....................661 Appendix M Legal Information....................663 Appendix N Customer Support..................... 667 Index............................671 ZyWALL 2 Plus User’s Guide...
Page 26
Figure 76 Tutorial Example: Bandwidth Management Class Setup Done ..........114 Figure 77 Tutorial Example: Bandwidth Management Monitor ..............115 Figure 78 REGISTRATION ........................118 Figure 79 REGISTRATION: Registered Device ..................119 Figure 80 REGISTRATION > Service ....................120 Figure 81 LAN and WAN ........................123 ZyWALL 2 Plus User’s Guide...
Page 27
Figure 122 Blocking All LAN to WAN IRC Traffic Example ..............188 Figure 123 Limited LAN to WAN IRC Traffic Example ................189 Figure 124 Using IP Alias to Solve the Triangle Route Problem ............191 ZyWALL 2 Plus User’s Guide...
Page 28
Figure 164 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ......... 246 Figure 165 Local and Remote Network IP Address Overlap ..............252 Figure 166 Virtual Mapping of Local and Remote Network IP Addresses ..........253 Figure 167 VPN: Transport and Tunnel Mode Encapsulation .............. 254 ZyWALL 2 Plus User’s Guide...
Page 29
Figure 207 ADVANCED > NAT > Port Forwarding ................320 Figure 208 Trigger Port Forwarding Process: Example ................ 322 Figure 209 ADVANCED > NAT > Port Triggering ................. 322 Figure 210 Example of Static Routing Topology ................... 325 ZyWALL 2 Plus User’s Guide...
Page 31
Figure 293 Menu 11.2: Remote Node Profile (Backup ISP) ..............463 Figure 294 Menu 11.2.2: Remote Node Network Layer Options ............465 Figure 295 Menu 11.2.3: Remote Node Script ..................467 Figure 296 Menu 11.2.4: Remote Node Filter ..................468 ZyWALL 2 Plus User’s Guide...
Page 32
Figure 335 Menu 4: Internet Access & NAT Example ................509 Figure 336 NAT Example 2 ........................510 Figure 337 Menu 15.2: Specifying an Inside Server ................510 Figure 338 NAT Example 3 ........................511 Figure 339 Example 3: Menu 11.1.2 ......................511 ZyWALL 2 Plus User’s Guide...
Page 33
Figure 378 System Maintenance: Backup Configuration ..............554 Figure 379 System Maintenance: Starting Xmodem Download Screen ..........554 Figure 380 Backup Configuration Example ..................554 Figure 381 Successful Backup Confirmation Screen ................555 Figure 382 Telnet into Menu 24.6 ......................555 ZyWALL 2 Plus User’s Guide...
Page 34
Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices ............605 Figure 423 Red Hat 9.0: KDE: Ethernet Device: General ..............605 Figure 424 Red Hat 9.0: KDE: Network Configuration: DNS ............... 606 Figure 425 Red Hat 9.0: KDE: Network Configuration: Activate ............606 ZyWALL 2 Plus User’s Guide...
Page 35
Figure 465 Managing the Bandwidth of an IPSec SA ................644 Figure 466 Managing the Bandwidth of an IKE SA ................644 Figure 467 Routing Command Example ....................645 Figure 468 Option to Enter Debug Mode ....................661 ZyWALL 2 Plus User’s Guide...
Page 36
List of Figures Figure 469 Boot Module Commands ....................662 ZyWALL 2 Plus User’s Guide...
Page 41
Table 207 System Maintenance: Status Menu Fields ................538 Table 208 Fields in System Maintenance: Information ................ 540 Table 209 System Maintenance Menu Syslog Parameters ..............542 Table 210 System Maintenance Menu Diagnostic ................546 ZyWALL 2 Plus User’s Guide...
Introduction and Registration Getting to Know Your ZyWALL (45) Introducing the Web Configurator (49) Wizard Setup (67) Tutorial (85) Registration (117)
(company network, or your cable or DSL modem for example). Connect computers or servers to the LAN ports for shared Internet access. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well. ZyWALL 2 Plus User’s Guide...
• SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide. • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server. ZyWALL 2 Plus User’s Guide...
The ZyWALL has a successful 10Mbps Ethernet connection. Flashing The 10M LAN/DMZ/WLAN is sending or receiving packets. Orange The ZyWALL has a successful 100Mbps Ethernet connection. Flashing The 100M LAN/DMZ/WLAN is sending or receiving packets. ZyWALL 2 Plus User’s Guide...
Page 48
The ZyWALL has a successful 10Mbps WAN connection. Flashing The 10M WAN is sending or receiving packets. Orange The ZyWALL has a successful 100Mbps WAN connection. Flashing The 100M WAN is sending or receiving packets. ZyWALL 2 Plus User’s Guide...
2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login. ZyWALL 2 Plus User’s Guide...
Figure 8 on page 53). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you. ZyWALL 2 Plus User’s Guide...
5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
DESCRIPTION Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3 on page 67 for more information. Help: Click this icon to open the help page for the current screen. ZyWALL 2 Plus User’s Guide...
This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL. Model This is the model name of your ZyWALL. ZyWALL 2 Plus User’s Guide...
Page 54
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. ZyWALL 2 Plus User’s Guide...
This is the bootbase version and the date created. Version Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Page 57
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
The following table lists the features available for each device mode. Not all ZyWALLs have all features listed in this table. Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Internet Access Wizard VPN Wizard DHCP Table System Statistics Registration Bridge ZyWALL 2 Plus User’s Guide...
Use this screen to change the LAN/DMZ/WLAN port roles. BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL. Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL. ZyWALL 2 Plus User’s Guide...
Page 60
Use this screen to view and manage the list of the trusted CAs. Trusted Use this screen to view and manage the certificates belonging to Remote Hosts the trusted remote hosts. Directory Use this screen to view and manage the list of the directory Servers servers. ZyWALL 2 Plus User’s Guide...
Page 61
Use this screen to enable UPnP on the ZyWALL. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Use this screen to allow certain applications to pass through the ZyWALL. ZyWALL 2 Plus User’s Guide...
Dial backup is not available in bridge mode. For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. TxPkts This is the number of transmitted packets on this port. ZyWALL 2 Plus User’s Guide...
This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. ZyWALL 2 Plus User’s Guide...
This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL. Remote Network This field displays IP address (in a range) of computers on the remote network behind the remote IPSec router. ZyWALL 2 Plus User’s Guide...
Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class. Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is using. ZyWALL 2 Plus User’s Guide...
Page 66
A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 2 Plus User’s Guide...
The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. ZyWALL 2 Plus User’s Guide...
Select Dynamic If your ISP did not assign you a fixed IP address. This is the Assignment default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. ZyWALL 2 Plus User’s Guide...
IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 16 ISP Parameters: PPPoE Encapsulation ZyWALL 2 Plus User’s Guide...
Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. ZyWALL 2 Plus User’s Guide...
Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. ZyWALL 2 Plus User’s Guide...
Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering trial application. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup. Figure 18 Internet Access Wizard: Second Screen ZyWALL 2 Plus User’s Guide...
Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial application of service like content filtering. If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION > Service screen. ZyWALL 2 Plus User’s Guide...
Click Back to return to the previous screen. Next Click Next to continue. After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish. ZyWALL 2 Plus User’s Guide...
Figure 23 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. ZyWALL 2 Plus User’s Guide...
Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to open the VPN configuration wizard. The first screen displays as shown next. ZyWALL 2 Plus User’s Guide...
Click Next to continue. 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel. ZyWALL 2 Plus User’s Guide...
Local Network field is configured to Range IP, enter the end (static) IP address, in a Subnet Mask range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL. ZyWALL 2 Plus User’s Guide...
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. Figure 28 VPN Wizard: IKE Tunnel Setting ZyWALL 2 Plus User’s Guide...
Click Back to return to the previous screen. Next Click Next to continue. 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. ZyWALL 2 Plus User’s Guide...
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. ZyWALL 2 Plus User’s Guide...
3.7 VPN Wizard Status Summary This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. Figure 30 VPN Wizard: VPN Status ZyWALL 2 Plus User’s Guide...
This is the length of time before an IKE SA automatically renegotiates. (Seconds) Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE negotiation. IPSec Setting (IKE Phase 2) Encapsulation Mode This shows Tunnel mode or Transport mode. ZyWALL 2 Plus User’s Guide...
Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 31 VPN Wizard Setup Complete ZyWALL 2 Plus User’s Guide...
VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL). ZyWALL 2 Plus User’s Guide...
1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 33 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply. ZyWALL 2 Plus User’s Guide...
VPN network policy. • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers. ZyWALL 2 Plus User’s Guide...
(like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions. 4.1.3.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. ZyWALL 2 Plus User’s Guide...
Figure 37 SECURITY > FIREWALL > Rule Summary 3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s remote network and the destination address is the LAN FTP server. ZyWALL 2 Plus User’s Guide...
Chapter 4 Tutorial Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 2 Plus User’s Guide...
Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 4.2 Using NAT with Multiple Public IP Addresses This section shows you examples of how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP. ZyWALL 2 Plus User’s Guide...
1 Configure the WAN connection to use the first public IP address (1.2.3.4). 2 Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6). 3 Configure NAT port forwarding to forward FTP traffic from the WAN to a specific computer on your local network. ZyWALL 2 Plus User’s Guide...
ISP. If your ISP didn’t give you the service name, leave the field blank. 4 In the WAN IP Address Assignment section, select Use Fixed IP Address and enter the first fixed public IP address (1.2.3.4 in this example). 5 Click Apply. ZyWALL 2 Plus User’s Guide...
DNS server the ZyWALL can query to resolve domain names. Figure 44 Tutorial Example: DNS > System 8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP. Click Apply. ZyWALL 2 Plus User’s Guide...
Note: To resolve a domain name, theZyWALL checks it against the name server record entries in the order that they appear in this list. Figure 46 Tutorial Example: DNS > System Edit-2 10The DNS > System screen should look as shown. ZyWALL 2 Plus User’s Guide...
11Go to the Home screen to check your WAN connection status. Make sure the status is not down. Figure 48 Tutorial Example: Status 4.2.3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them. ZyWALL 2 Plus User’s Guide...
Note: The ZyWALL applies the rules in the order that you specify. You should put any one-to-one rules before a many-to-one rule. 1 Click ADVANCED > NAT. 2 Enable NAT and select Full Feature as you have multiple public IP addresses to map to private IP addresses. Click Apply. ZyWALL 2 Plus User’s Guide...
4 Click the first rule’s Edit icon ( ) in the Modify column to display the Address Mapping Rule screen. Figure 51 Tutorial Example: NAT > Address Mapping 5 Map a public IP address to the web server. ZyWALL 2 Plus User’s Guide...
9 Map a public IP address to other outgoing LAN traffic. Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address. Click Apply. ZyWALL 2 Plus User’s Guide...
IP address (1.2.3.7) that can be assigned to another internal server when you expand your network. Figure 55 Tutorial Example: NAT Address Mapping Done Note: To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.2.5 on page 103 for more information.
Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply. ZyWALL 2 Plus User’s Guide...
In this example, you create the firewall rules to allow traffic from the WAN to the following servers on the LAN: • Web server • Mail server • FTP server Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer ZyWALL 2 Plus User’s Guide...
5 Configure a firewall rule to allow traffic from the WAN to the web server. Enter a descriptive name (W-L_Web for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.12 and click Add. ZyWALL 2 Plus User’s Guide...
6 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 63 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server ZyWALL 2 Plus User’s Guide...
Figure 64 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server 8 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. ZyWALL 2 Plus User’s Guide...
9 Click the Insert button to configure a firewall rule to allow FTP traffic from the WAN to the FTP server. Enter a descriptive name (W-L_FTP for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.39 and click Add. ZyWALL 2 Plus User’s Guide...
10Select FTP(TCP:20,21) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server ZyWALL 2 Plus User’s Guide...
If two users (behind the ZyWALL) want to connect to the same server to play online games at the same time, but the server does not allow more than one login from the same IP address, you can configure a many-to-many rule instead of a many-to-one rule. ZyWALL 2 Plus User’s Guide...
When you finish configuration, the screen looks as shown. Figure 69 Tutorial Example: NAT Address Mapping Done: Game Playing Note: To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.2.5 on page 103...
4 Select Priority-Based to have the ZyWALL give preference to bandwidth classes with higher priorities. 5 Deselect the Maximize Bandwidth Usage option to reserve bandwidth for traffic that is not defined in a bandwidth class. 6 Click Apply. ZyWALL 2 Plus User’s Guide...
VoIP traffic. The higher the number, the higher the priority. 10Enable this filter and select the SIP service. 11Leave the IP address and subnet mask fields blank, so that the filter will be applied to any outgoing traffic through the WAN port. Click Apply. ZyWALL 2 Plus User’s Guide...
12Click the Add Sub-Class button to create a rule for FTP traffic as follows. Click Apply. Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP 13Click the Add Sub-Class button to create a rule for WWW traffic as follows. Click Apply. ZyWALL 2 Plus User’s Guide...
14When you are finished, the Class Setup screen looks as shown. Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface. ZyWALL 2 Plus User’s Guide...
H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
REGISTRATION > Service screen to extend the service. Content Filtering 1- Select the check box to activate a trial. The trial period starts the day you month Trial activate the trial. ZyWALL 2 Plus User’s Guide...
PIN number (license key). Click REGISTRATION > Service to open the screen as shown next. If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register, click the Service License Refresh button to update license information. ZyWALL 2 Plus User’s Guide...
(specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the license Refresh key, registration status and expiration day). ZyWALL 2 Plus User’s Guide...
Figure 81 LAN and WAN 6.2 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. ZyWALL 2 Plus User’s Guide...
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. ZyWALL 2 Plus User’s Guide...
2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address ZyWALL 2 Plus User’s Guide...
Click NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL’s IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. ZyWALL 2 Plus User’s Guide...
RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
Page 128
Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. Figure 83 NETWORK > LAN > Static DHCP ZyWALL 2 Plus User’s Guide...
The following figure shows a LAN divided into subnets A, B, and C. Figure 84 Physical Network & Partitioned Logical Networks To change your ZyWALL’s IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
ZyWALL’s DMZ IP address and MAC address. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL’s WLAN IP address and MAC address. ZyWALL 2 Plus User’s Guide...
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 87 Port Roles Change Complete ZyWALL 2 Plus User’s Guide...
Page 134
Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide...
Figure 88 Bridge Loop: Bridge Connected to Wired LAN To prevent bridge loops, ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of the same LAN or you enable RSTP in the Bridge screen. ZyWALL 2 Plus User’s Guide...
STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops. STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed. ZyWALL 2 Plus User’s Guide...
RSTP (Rapid Spanning Tree Protocol) settings. In bridge mode, if you need to let DHCP clients behind the ZyWALL use a DHCP server on the WAN, enable the default WAN to LAN firewall rule for the BOOTP_CLIENT service. ZyWALL 2 Plus User’s Guide...
To change your ZyWALL’s port role settings, click NETWORK > BRIDGE > Port Roles. The screen appears as shown. The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. ZyWALL 2 Plus User’s Guide...
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 91 Port Roles Change Complete ZyWALL 2 Plus User’s Guide...
The dial-backup or traffic redirect routes cannot take priority over the WAN routes. 8.3 WAN Route Click NETWORK > WAN to open the Route screen. Use this screen to configure the priorities of the ZyWALL’s routes and settings for Windows Networking traffic. ZyWALL 2 Plus User’s Guide...
Select this check box to forward NetBIOS packets from the WLAN to the WAN and WAN and WLAN from the WAN to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the WAN and from the WAN to the WLAN. ZyWALL 2 Plus User’s Guide...
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number. The screen shown next is for Ethernet encapsulation. ZyWALL 2 Plus User’s Guide...
Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login. Login Server Type the domain name of the Telia login server, for example login1.telia.com. (Telia Login only) ZyWALL 2 Plus User’s Guide...
Page 146
Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL 2 Plus User’s Guide...
LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access. The screen shown next is for PPPoE encapsulation. ZyWALL 2 Plus User’s Guide...
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Type your password again to make sure that you have entered is correctly. Confirm ZyWALL 2 Plus User’s Guide...
Page 149
Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL 2 Plus User’s Guide...
Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. ZyWALL 2 Plus User’s Guide...
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. ZyWALL 2 Plus User’s Guide...
Page 152
When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives. When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both. ZyWALL 2 Plus User’s Guide...
Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. ZyWALL 2 Plus User’s Guide...
Click Reset to begin configuring this screen afresh. 8.10 Configuring Dial Backup Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. ZyWALL 2 Plus User’s Guide...
Use the drop-down list box to select an authentication protocol for outgoing calls. Type Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. ZyWALL 2 Plus User’s Guide...
Page 157
Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. ZyWALL 2 Plus User’s Guide...
ATDP. For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both Dial and Init strings. ZyWALL 2 Plus User’s Guide...
Click the Edit button in the Dial Backup screen to display the Advanced Setup screen. Consult the manual of your WAN device connected to your dial backup port for specific AT commands. Figure 100 NETWORK > WAN > Dial Backup > Edit ZyWALL 2 Plus User’s Guide...
Type a number of seconds for the ZyWALL to wait between dropping a callback (sec) request call and dialing the corresponding callback call. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 2 Plus User’s Guide...
Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next. ZyWALL 2 Plus User’s Guide...
RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
Page 163
Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL’s IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
161) and configure the other subnet in the Network > DMZ > IP Alias screen (see Figure 9.4 on page 165) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. ZyWALL 2 Plus User’s Guide...
The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the LAN and/or WLAN Port Roles screens. ZyWALL 2 Plus User’s Guide...
Select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL’s WLAN IP address and MAC address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
178) to set a port to be part of the WLAN and connect an access point (AP) to the WLAN interface. Click NETWORK > WLAN to open the WLAN screen to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. ZyWALL 2 Plus User’s Guide...
RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
Page 173
Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
WLAN's logical networks (subnets). Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL’s IP alias settings, click NETWORK > WLAN > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the LAN and DMZ Port Roles screen. ZyWALL 2 Plus User’s Guide...
After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 112 NETWORK > WLAN > Port Roles: Change Complete ZyWALL 2 Plus User’s Guide...
Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4). Figure 113 Default Firewall Action ZyWALL 2 Plus User’s Guide...
To set the ZyWALL to by default silently block traffic from the WAN from going to the DMZ interfaces, you would find where the From WAN row and the To DMZ column intersect and set the field to Drop as shown. ZyWALL 2 Plus User’s Guide...
ZyWALL. • LAN to WAN These rules specify which computers on the LAN can access which computers or services connected to the WAN. See Section 11.5 on page for an example. ZyWALL 2 Plus User’s Guide...
LAN computers to go out through any of the ZyWALL’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL’s VPN tunnels. ZyWALL 2 Plus User’s Guide...
You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface. ZyWALL 2 Plus User’s Guide...
Figure 118 From VPN to LAN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 119 Block VPN to LAN Traffic by Default Example ZyWALL 2 Plus User’s Guide...
VPN tunnel or the ZyWALL itself. VPN traffic destined for the DMZ is allowed through. Figure 120 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 121 Block VPN to VPN Traffic by Default Example ZyWALL 2 Plus User’s Guide...
You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 122 Blocking All LAN to WAN IRC Traffic Example ZyWALL 2 Plus User’s Guide...
Figure 123 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 49 Limited LAN to WAN IRC Traffic Example DESTINATIO SOURCE SCHEDULE SERVICE ACTION 192.168.1.7 Allow Drop Default Allow ZyWALL 2 Plus User’s Guide...
2 The ZyWALL reroutes the packet to Gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the ZyWALL. 4 The ZyWALL then sends it to the computer on the LAN in Subnet 1. ZyWALL 2 Plus User’s Guide...
Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 125 SECURITY > FIREWALL > Default Rule (Router Mode) ZyWALL 2 Plus User’s Guide...
Select the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules. ZyWALL 2 Plus User’s Guide...
Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. Section 11.1 on page 181 for more information about the firewall. Figure 126 SECURITY > FIREWALL > Default Rule (Bridge Mode) ZyWALL 2 Plus User’s Guide...
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.9 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. ZyWALL 2 Plus User’s Guide...
The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above. ZyWALL 2 Plus User’s Guide...
2 Click Insert to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels. Section 11.1 on page 181 for more information about the firewall. ZyWALL 2 Plus User’s Guide...
(No). Go to the Log Settings page and select the Access Control logs category Matched to have the ZyWALL record these logs. Send Alert Select the check box to have the ZyWALL generate an alert when the rule is Message to matched. Administrator When Matched ZyWALL 2 Plus User’s Guide...
ZyWALL hidden from probing attempts. You can specify which of the ZyWALL’s interfaces will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. Figure 129 SECURITY > FIREWALL > Anti-Probing ZyWALL 2 Plus User’s Guide...
ACK (acknowledgment). After this handshake, a connection is established. Figure 130 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. ZyWALL 2 Plus User’s Guide...
11.12 Threshold Screen Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 131 SECURITY > FIREWALL > Threshold ZyWALL 2 Plus User’s Guide...
Deny new connection requests for the number of minutes that you specify (between 1 and 255). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. ZyWALL 2 Plus User’s Guide...
Choose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines your customized service from the drop down list box. If you select Custom, specify the protocol’s number. For example, ICMP is 1, TCP is 6, UDP is 17 and so on. ZyWALL 2 Plus User’s Guide...
Figure 134 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. Figure 135 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. ZyWALL 2 Plus User’s Guide...
6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 137 My Service Firewall Rule Example: Rule Edit ZyWALL 2 Plus User’s Guide...
Page 207
9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box. ZyWALL 2 Plus User’s Guide...
Chapter 11 Firewall Figure 138 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 2 Plus User’s Guide...
Use this screen to enable content filtering, configure a schedule, and create a denial message. You can also choose specific computers to be included in or excluded from the content filtering configuration. ZyWALL 2 Plus User’s Guide...
ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again. ZyWALL 2 Plus User’s Guide...
Page 213
Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Do the following to view content filtering reports (see Chapter 13 on page 227 for details). 1 Log into myZyXEL.com and click your device’s link to open it’s Service Management screen. ZyWALL 2 Plus User’s Guide...
3 Enter your ZyWALL's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229). Type your myZyXEL.com account password in the Password field. Click Submit. Figure 142 SECURITY > CONTENT FILTER > Categories ZyWALL 2 Plus User’s Guide...
These pages include very profane or vulgar content and pages that are not appropriate for children. Pornography Selecting this category excludes pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest. ZyWALL 2 Plus User’s Guide...
Page 217
Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property. ZyWALL 2 Plus User’s Guide...
Page 218
Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities. ZyWALL 2 Plus User’s Guide...
Page 219
Selecting this category excludes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. Real Estate Selecting this category excludes pages that provide information on renting, buying, or selling real estate or properties. ZyWALL 2 Plus User’s Guide...
Page 220
ZyWALL’s database of restricted web pages. Test Against Internet Click this button to test whether or not the web site above is saved in the Server external content filter server’s database of restricted web pages. ZyWALL 2 Plus User’s Guide...
You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL 2 Plus User’s Guide...
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
12.6.1 Domain Name or IP Address URL Checking By default, the ZyWALL checks the URL’s domain name or IP address when performing keyword blocking. This means that the ZyWALL checks the characters that come before the first slash in the URL. ZyWALL 2 Plus User’s Guide...
12.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the...
Remaining Time This is the number of hours left before the URL entry is discarded from the cache. (hour) Modify Click the delete icon to remove the URL entry from the cache. ZyWALL 2 Plus User’s Guide...
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. 2 Fill in your myZyXEL.com account information and click Submit. ZyWALL 2 Plus User’s Guide...
Figure 145 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see...
Chapter 13 Content Filtering Reports Figure 147 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229).
Run Report.The screens vary according to the report type you selected in the Report Home screen. 10 A chart and/or list of requested web site categories display in the lower half of the screen. ZyWALL 2 Plus User’s Guide...
Chapter 13 Content Filtering Reports Figure 151 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 2 Plus User’s Guide...
1 Log into the content filtering reports web site (see Section 13.2 on page 227). 2 In the Web Filter Home screen (see Figure 149 on page 230), click Site Submissions to open the Web Page Review Process screen shown next. ZyWALL 2 Plus User’s Guide...
Chapter 13 Content Filtering Reports Figure 153 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 2 Plus User’s Guide...
The following figure provides one perspective of a VPN tunnel. Figure 154 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B). ZyWALL 2 Plus User’s Guide...
14.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA. ZyWALL 2 Plus User’s Guide...
This figure helps explain the main fields in the VPN setup. Figure 157 IPSec Fields Summary Click SECURITY > VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use IKE SAs. ZyWALL 2 Plus User’s Guide...
(behind the IPSec routers) can use the VPN tunnel. Remote This is the remote network behind the remote IPsec router. Network Click this icon to display a screen in which you can associate a network policy to a gateway policy. ZyWALL 2 Plus User’s Guide...
Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 14.3.1.1 on page 240 for more information about DH key groups. ZyWALL 2 Plus User’s Guide...
ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist. ZyWALL 2 Plus User’s Guide...
CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content. ZyWALL 2 Plus User’s Guide...
Page 242
ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). ZyWALL 2 Plus User’s Guide...
• There is traffic when the SA life time expires • The IPSec SA is configured on the ZyWALL as nailed up (see below) Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. ZyWALL 2 Plus User’s Guide...
• Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) • Should use a WAN connectivity check to this ZyWALL’s WAN IP address ZyWALL 2 Plus User’s Guide...
Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. ZyWALL 2 Plus User’s Guide...
WAN IP address or domain name (you cannot set either to 0.0.0.0). Redundant Type the WAN IP address or the domain name (up to 31 characters) of the Remote Gateway backup IPSec router to use when the ZyWALL cannot not connect to the primary remote gateway. ZyWALL 2 Plus User’s Guide...
Page 248
ZyWALL in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. ZyWALL 2 Plus User’s Guide...
Page 249
5. Regardless of how you configure the ID Type and Content fields, two active IPSec SAs cannot have both the local and remote IP address ranges overlap between rules. Extended Authentication Enable Extended Select this check box to activate extended authentication. Authentication ZyWALL 2 Plus User’s Guide...
Page 250
IKE SA, even if they are less secure than the ones you configure for the VPN rule. Clear this to have the ZyWALL use only the configured phase 1 key groups and encryption and authentication algorithms when negotiating an IKE SA. ZyWALL 2 Plus User’s Guide...
If you select the VPN rules skip applying to the overlap range of local and remote IP addresses option (see Figure 174 on page 267) and the VPN rule’s local and remote network settings are both 0.0.0.0 (any), no traffic will go through the VPN tunnel. ZyWALL 2 Plus User’s Guide...
• You set ZyWALL B to change the source IP addresses of packets from the remote network Y (192.168.1.2 to 192.168.1.27) to virtual IP addresses 172.21.2.2 to 172.21.2.27 before sending them through the VPN tunnel. ZyWALL 2 Plus User’s Guide...
Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. ZyWALL 2 Plus User’s Guide...
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL 2 Plus User’s Guide...
A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. Figure 168 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL 2 Plus User’s Guide...
IP addresses of computers on your local network to other (virtual) IP addresses before sending the packets to the remote IPSec router. This translation hides the source IP addresses of computers in the local network. ZyWALL 2 Plus User’s Guide...
Page 257
Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL. ZyWALL 2 Plus User’s Guide...
Page 258
Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. ZyWALL 2 Plus User’s Guide...
One as the Type and click the Port Forwarding Rules button to open the following screen. Use this screen to configure port forwarding for your VPN tunnels to let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address on the LAN. ZyWALL 2 Plus User’s Guide...
Type your server IP address in this field. Apply Click this button to save these settings. Reset Click this button to begin configuring this screen afresh. Cancel Click this button to return to the VPN-Network Policy -Edit screen without saving your changes. ZyWALL 2 Plus User’s Guide...
When there is a network policy in Recycle Bin, the Recycle Bin gateway policy automatically displays in the VPN Rules (IKE) screen. Apply Click Apply to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL 2 Plus User’s Guide...
Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. ZyWALL 2 Plus User’s Guide...
Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule. When a VPN policy is deleted, subsequent policies move up in the page list. Click Add to add a new VPN policy. ZyWALL 2 Plus User’s Guide...
NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa. Select this check box to send NetBIOS packets through the VPN connection. ZyWALL 2 Plus User’s Guide...
Page 265
LAN IP address when using traffic redirect. The VPN tunnel has to be rebuilt if this IP address changes. When the ZyWALL is in bridge mode, this field is read-only and displays the ZyWALL’s IP address. ZyWALL 2 Plus User’s Guide...
In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. ZyWALL 2 Plus User’s Guide...
Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Use this screen to change settings that apply to all of your VPN tunnels. Figure 174 SECURITY > VPN > Global Setting ZyWALL 2 Plus User’s Guide...
If a VPN rule’s local and remote network settings are both set to 0.0.0.0 (any), no traffic goes through the VPN tunnel if you select this check box. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
14.15.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). ZyWALL 2 Plus User’s Guide...
Headquarters ZyWALL Rule 1: Local ID Type: IP Peer ID Type: IP Local ID Content: 192.168.2.12 Peer ID Content: 192.168.2.12 Local IP Address: 192.168.2.12 Remote Gateway Address: telecommutera.dydns.org Remote Address 192.168.2.12 Telecommuter B (telecommuterb.dydns.org) Headquarters ZyWALL Rule 2: ZyWALL 2 Plus User’s Guide...
VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface. Figure 177 VPN for Remote Management Example 14.17 Hub-and-spoke VPN Hub-and-spoke VPN connects VPN tunnels to form one secure network. ZyWALL 2 Plus User’s Guide...
The following figure shows a basic hub-and-spoke VPN. Branch office A uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. Branch office B uses one VPN rule to access both the headquarters and branch office A’s networks. ZyWALL 2 Plus User’s Guide...
• Local IP address: 192.168.169.0/255.255.255.0 • Remote IP address: 192.168.167.0~192.168.168.255 14.17.3 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. The local IP addresses configured in the VPN rules cannot overlap ZyWALL 2 Plus User’s Guide...
Page 274
VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. Make sure that your From VPN and To VPN firewall rules do not block the VPN packets. ZyWALL 2 Plus User’s Guide...
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked. ZyWALL 2 Plus User’s Guide...
2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 180 Certificates on Your Computer 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL 2 Plus User’s Guide...
Use the Trusted Remote Hosts screens to import self-signed certificates from trusted remote hosts. Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). ZyWALL 2 Plus User’s Guide...
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
You can use this screen to view in-depth certificate information and change the certificate’s name. If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates. ZyWALL 2 Plus User’s Guide...
This certificates. automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates. ZyWALL 2 Plus User’s Guide...
Page 281
Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. ZyWALL 2 Plus User’s Guide...
Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL. ZyWALL 2 Plus User’s Guide...
One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key. • You must remove any spaces from the certificate’s filename before you can import it. ZyWALL 2 Plus User’s Guide...
DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL 2 Plus User’s Guide...
ZyWALL drops trailing spaces. Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces. ZyWALL 2 Plus User’s Guide...
Page 287
SCEP enrollment protocol. Type the key that the certification authority gave you. Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL 2 Plus User’s Guide...
This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. ZyWALL 2 Plus User’s Guide...
ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL 2 Plus User’s Guide...
The ZyWALL does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. ZyWALL 2 Plus User’s Guide...
Page 291
This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL 2 Plus User’s Guide...
DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
C (Country). It is recommended that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. ZyWALL 2 Plus User’s Guide...
Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name. ZyWALL 2 Plus User’s Guide...
CA-signed. The ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. ZyWALL 2 Plus User’s Guide...
Page 296
You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL 2 Plus User’s Guide...
DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
This field displays the IP address or domain name of the directory server. Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. ZyWALL 2 Plus User’s Guide...
Access Protocol field. You may change the server port number if needed, however you must use the same server port number that the directory server uses. 389 is the default server port number for LDAP. ZyWALL 2 Plus User’s Guide...
Page 300
Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen. At the time of writing, LDAP is the only choice of directory server access protocol. ZyWALL 2 Plus User’s Guide...
RADIUS is a simple package exchange in which the ZyWALL acts as a message relay between the client and the network RADIUS server. 16.1.3 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the ZyWALL and the RADIUS server for user authentication: • Access-Request ZyWALL 2 Plus User’s Guide...
ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL’s list of user profiles. ZyWALL 2 Plus User’s Guide...
Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Enter the IP address of the external accounting server in dotted decimal notation. Port Number The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. ZyWALL 2 Plus User’s Guide...
Page 305
The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Page 306
Chapter 16 Authentication Server ZyWALL 2 Plus User’s Guide...
This refers to the host on the WAN. Local This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. ZyWALL 2 Plus User’s Guide...
Internet. The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. Figure 199 How NAT Works ZyWALL 2 Plus User’s Guide...
ZyWALL will perform NAT on them and send them to the server at IP address 1, port A. Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A. ZyWALL 2 Plus User’s Guide...
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ. 17.3 NAT Overview Screen Click ADVANCED > NAT to open the NAT Overview screen. ZyWALL 2 Plus User’s Guide...
ZyWALL. The second number shows the maximum number of trigger port rules that can be configured on the ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. Figure 203 ADVANCED > NAT > Address Mapping ZyWALL 2 Plus User’s Guide...
One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world. ZyWALL 2 Plus User’s Guide...
80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. ZyWALL 2 Plus User’s Guide...
80, but sends it to server B (IP address 192.168.1.34). In this example, anyone wanting to access server A from the Internet must use port 8080. Anyone wanting to access server B from the Internet must use port 8100. Figure 206 Port Translation Example ZyWALL 2 Plus User’s Guide...
The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard. Figure 207 ADVANCED > NAT > Port Forwarding ZyWALL 2 Plus User’s Guide...
LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application. For example: ZyWALL 2 Plus User’s Guide...
TCP/IP (Transfer Control Protocol/Internet Protocol). Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyWALL’s trigger port settings. Figure 209 ADVANCED > NAT > Port Triggering ZyWALL 2 Plus User’s Guide...
Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
The first static route entry is for the default WAN route. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. ZyWALL 2 Plus User’s Guide...
18.2.1 IP Static Route Edit Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route. ZyWALL 2 Plus User’s Guide...
Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 2 Plus User’s Guide...
View your configured bandwidth classes and sub-classes in the Class Setup screen (see Section 19.12 on page 336 for details). The total of the configured bandwidth budgets for sub-classes cannot exceed the configured bandwidth budget speed of the parent class. ZyWALL 2 Plus User’s Guide...
Table 100 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 64 Kbps 64 Kbps 64 Kbps 64 Kbps 64 Kbps 64 Kbps E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps ZyWALL 2 Plus User’s Guide...
1 Leave some of the interface’s bandwidth unbudgeted. 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 19.8 on page 333). ZyWALL 2 Plus User’s Guide...
• Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. ZyWALL 2 Plus User’s Guide...
The ZyWALL uses the scheduler to divide a parent class’s unused bandwidth among the sub-classes. 19.8.1 Bandwidth Borrowing Example Here is an example of bandwidth management with classes configured for bandwidth borrowing. The classes are set up based on departments and individuals within certain departments. ZyWALL 2 Plus User’s Guide...
You can also set this number lower than the interface’s actual transmission speed. If you do not enable Maximize Bandwidth Usage, this will cause the ZyWALL to not use some of the interface’s available bandwidth. ZyWALL 2 Plus User’s Guide...
To add or delete child classes on an interface, click ADVANCED > BW MGMT > Class Setup. The screen is shown here with example classes. Figure 215 ADVANCED > BW MGMT > Class Setup ZyWALL 2 Plus User’s Guide...
Summary screen to enable bandwidth management on an interface before you can configure classes for that interface. Click ADVANCED > BW MGMT > Class Setup > Add Sub-Class or Edit to open the following screen. Use this screen to add a child class. ZyWALL 2 Plus User’s Guide...
You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address). ZyWALL 2 Plus User’s Guide...
Page 339
Source Port Enter the starting and ending destination port numbers. Enter the same port number in both fields to specify a single port number. See the following table for some common services and port numbers. ZyWALL 2 Plus User’s Guide...
Click ADVANCED > BW MGMT > Class Setup > Statistics to open the Bandwidth Management Statistics screen. This screen displays the selected bandwidth class’s bandwidth usage and allotments. Figure 217 ADVANCED > BW MGMT > Class Setup > Statistics ZyWALL 2 Plus User’s Guide...
19.13 Monitor Bandwidth Manager Click ADVANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’s bandwidth usage and allotments. Figure 218 ADVANCED > BW MGMT > Monitor ZyWALL 2 Plus User’s Guide...
A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 2 Plus User’s Guide...
2 Use the DNS DHCP screen to configure the DNS server information that the ZyWALL sends to the DHCP client devices on the LAN, DMZ or WLAN. 3 Use the REMOTE MGMT DNS screen to configure the ZyWALL (in router mode) to accept or discard DNS queries. ZyWALL 2 Plus User’s Guide...
An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
VPN host must use IP addresses to access the computers on the remote private network. 20.6 System Screen Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL’s DNS address and name server records. Figure 220 ADVANCED > DNS > System DNS ZyWALL 2 Plus User’s Guide...
(FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. IP Address If this entry is for the WAN port on the ZyWALL, select WAN Interface.
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Leave this field blank if all domain zones are served by the specified DNS server(s).
Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN. ZyWALL 2 Plus User’s Guide...
Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyWALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 224 ADVANCED > DNS > DHCP ZyWALL 2 Plus User’s Guide...
The Dynamic DNS service provider will give you a password or key. You must go to the Dynamic DNS service provider’s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL. ZyWALL 2 Plus User’s Guide...
Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. My Domain Names ZyWALL 2 Plus User’s Guide...
Page 353
IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Page 354
Chapter 20 DNS ZyWALL 2 Plus User’s Guide...
WWW screen). Authenticate Client Certificates is optional and if selected means the SSL- client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. Please refer to the following figure. ZyWALL 2 Plus User’s Guide...
ZyWALL blocks all HTTP connection attempts. 21.3 WWW Configuration Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyWALL’s HTTP and HTTPS management settings. Figure 228 ADVANCED > REMOTE MGMT > WWW ZyWALL 2 Plus User’s Guide...
If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access. ZyWALL 2 Plus User’s Guide...
Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. ZyWALL 2 Plus User’s Guide...
HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients. • Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. ZyWALL 2 Plus User’s Guide...
Figure 232 Example: Lock Denoting a Secure Connection Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. ZyWALL 2 Plus User’s Guide...
Certificates screen. You will see information similar to that shown in the following figure. Figure 234 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 235 Common ZyWALL Certificate ZyWALL 2 Plus User’s Guide...
ZyWALL for a management session. Figure 236 SSH Communication Over the WAN Example 21.6 How SSH Works The following table summarizes how a secure connection is established between two remote hosts. Figure 237 How SSH Works 1 Host Identification ZyWALL 2 Plus User’s Guide...
ZyWALL over SSH. 21.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. ZyWALL 2 Plus User’s Guide...
ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. ZyWALL 2 Plus User’s Guide...
ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type “yes” and press [ENTER]. Then enter the password to log in to the ZyWALL. ZyWALL 2 Plus User’s Guide...
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp> put firmware.bin ras Uploading firmware.bin to /ras Read from remote host 192.168.1.1: Connection reset by peer Connection closed ZyWALL 2 Plus User’s Guide...
Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. ZyWALL 2 Plus User’s Guide...
A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 21.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not configure the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Vantage CNM server. Refresh Click Refresh to update the registration status and last registration time. Vantage CNM Setup Enable Select this check box to allow Vantage CNM to manage your ZyWALL. ZyWALL 2 Plus User’s Guide...
Page 375
LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. ZyWALL 2 Plus User’s Guide...
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 22.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255.255 for UDP mappings. ZyWALL 2 Plus User’s Guide...
Click Apply to save your changes back to the ZyWALL. Refresh Click Refresh update the screen’s table. 22.4 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. ZyWALL 2 Plus User’s Guide...
3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next. 5 Restart the computer when prompted. ZyWALL 2 Plus User’s Guide...
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. window, click Settings to see the port mappings that were automatically created. ZyWALL 2 Plus User’s Guide...
22.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 385
3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 2 Plus User’s Guide...
Page 386
Chapter 22 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 2 Plus User’s Guide...
ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through. ZyWALL 2 Plus User’s Guide...
H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 251 H.323 ALG Example • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. ZyWALL 2 Plus User’s Guide...
• The SIP ALG allows UDP packets with a port 5060 destination to pass through. • The ZyWALL allows SIP audio connections. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server (S). Figure 252 SIP ALG Example ZyWALL 2 Plus User’s Guide...
ALGs off or on and set the SIP timeout. If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service’s traffic. Figure 253 ADVANCED > ALG ZyWALL 2 Plus User’s Guide...
ZyWALL SIP timeout (default 60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 254 LOGS > View Log ZyWALL 2 Plus User’s Guide...
The log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port 137. destination The NetBIOS packet was sent to the 172.21.255.255 subnet port 137. This was a NetBIOS UDP broadcast packet meant to discover devices on the network. ZyWALL 2 Plus User’s Guide...
Follow the steps below to download the certificate from myZyXEL.com. 1 Go to http://www.myZyXEL.com and log in with your account. 2 Click Download Center and then Certificate Download. Figure 255 myZyXEL.com: Download Center 3 Click the link in the Certificate Download screen. ZyWALL 2 Plus User’s Guide...
Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent. ZyWALL 2 Plus User’s Guide...
Refer to the documentation of your syslog program for more details. Active Log and Alert Select the categories of logs that you want to record. Logs include alerts. ZyWALL 2 Plus User’s Guide...
HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. Click LOGS > Reports to display the following screen. ZyWALL 2 Plus User’s Guide...
IP addresses. Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. Flush Click Flush to discard the old report data and update the report display. ZyWALL 2 Plus User’s Guide...
ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses. ZyWALL 2 Plus User’s Guide...
In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. ZyWALL 2 Plus User’s Guide...
The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 136 on page 406). ZyWALL 2 Plus User’s Guide...
Starting Connectivity Monitor The router got the time and date from the Daytime server. Time initialized by Daytime Server The router got the time and date from the time server. Time initialized by Time server ZyWALL 2 Plus User’s Guide...
Page 407
The myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support. ZyWALL 2 Plus User’s Guide...
A packet from the WAN (TCP or UDP) matched a cone Firewall allowed a packet that NAT session and the device forwarded it to the LAN. matched a NAT session: [ TCP | UDP ] ZyWALL 2 Plus User’s Guide...
Firewall rule [NOT] match: ICMP (denoted by its number) and was blocked or forwarded <Packet Direction>, <rule:%d>, according to the rule. <type:%d>, <code:%d> The firewall allowed a triangle route session to pass Triangle route packet forwarded: through. ICMP ZyWALL 2 Plus User’s Guide...
The PPP connection’s Link Control Protocol stage is closing. ppp:LCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. ppp:IPCP Closing Table 145 UPnP Logs LOG MESSAGE DESCRIPTION UPnP packets can pass through the firewall. UPnP pass through Firewall ZyWALL 2 Plus User’s Guide...
ICMP (type:%d, code:%d) The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land land [ TCP | UDP | IGMP | attack. ESP | GRE | OSPF ] The firewall detected an ICMP land attack. land ICMP (type:%d, code:%d) ZyWALL 2 Plus User’s Guide...
Page 412
IP address. It maybe a bounce attack. The fragment packet size is smaller than the MTU size of output Fragment packet size is interface. smaller than the MTU size of output interface. ZyWALL 2 Plus User’s Guide...
The device sent a ping packet to check the specified VPN tunnel's Rule [%s] sends an echo connectivity. request to peer The device received a ping response when checking the specified Rule [%s] receives an VPN tunnel's connectivity. echo reply from peer ZyWALL 2 Plus User’s Guide...
Mode request from <IP> The router started negotiation with the peer. Send <Main or Aggressive> Mode request to <IP> The peer’s “Local IP Address” is invalid. Invalid IP <Peer local> / <Peer local> ZyWALL 2 Plus User’s Guide...
Page 415
Rule [%d] Phase 2 protocol the router and the peer. mismatch The listed rule’s IKE phase 2 encryption algorithm did not Rule [%d] Phase 2 encryption match between the router and the peer. algorithm mismatch ZyWALL 2 Plus User’s Guide...
Page 416
Remote Gateway Addr has gateway’s IP address changed. changed, tunnel [%s] will be deleted The listed tunnel will be deleted because the ZyWALL’s IP My ZyWALL Addr has changed, address changed. tunnel [%s] will be deleted ZyWALL 2 Plus User’s Guide...
The recorded reason codes are cert not trusted: only approximate reasons for not trusting the certificate. Please see <subject name> Table 152 on page 418 for the corresponding descriptions of the codes. ZyWALL 2 Plus User’s Guide...
ACL set for packets traveling from the DMZ to the WAN. (W to D) WAN to DMZ ACL set for packets traveling from the WAN to the DMZ. (L to D) LAN to DMZ ACL set for packets traveling from the LAN to the DMZ. ZyWALL 2 Plus User’s Guide...
Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded ZyWALL 2 Plus User’s Guide...
The device attempted to check for the latest available signature version. Check signature %s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware. ZyWALL 2 Plus User’s Guide...
%s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware. The device updated the signature file successfully. Update the signature file successfully. ZyWALL 2 Plus User’s Guide...
Mail From:Email address external database query failed. Subject:Mail Subject! The listed server IP address has been removed from the list of anti- Remove rating server spam external database servers. [%Rating Server IP Address%] from server list! ZyWALL 2 Plus User’s Guide...
Page 423
This is the source and subject of an e-mail for which there was no Mail From:Email address HTTP session and no internal timer mechanism available for Subject:Mail Subject! queuing the external database. ZyWALL 2 Plus User’s Guide...
The "encode" message ob="0|1" ob_mac="<mac indicates the mail attachments encoding method. The address>" msg="<msg>" definition of messages and notes are defined in the Anti- note="<note>" devID="<mac Virus log descriptions. address>" cat="Anti Virus" encode="< uu | b64 >" ZyWALL 2 Plus User’s Guide...
RFC for detailed information on each type. Table 159 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID ZyWALL 2 Plus User’s Guide...
Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name. 25.2.1 General Setup Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information. ZyWALL 2 Plus User’s Guide...
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 25.3 Configuring Password Click MAINTENANCE > Password to open the following screen. Use this screen to change the ZyWALL’s management password. ZyWALL 2 Plus User’s Guide...
ZyWALL. To change your ZyWALL’s time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone. ZyWALL 2 Plus User’s Guide...
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. ZyWALL 2 Plus User’s Guide...
Page 431
In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 265 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. ZyWALL 2 Plus User’s Guide...
The bridge gradually builds a host MAC-address-to-port mapping table such as in the following example, during the learning process. Table 163 MAC-address-to-port Mapping Table HOST MAC PORT ADDRESS 00a0c5123456 00a0c5123478 (host A) 1 00a0c512349a 00a0c51234bc 00a0c51234de ZyWALL 2 Plus User’s Guide...
ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. ZyWALL 2 Plus User’s Guide...
Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the IP Address field to access the ZyWALL again. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. ZyWALL 2 Plus User’s Guide...
Click Reset to begin configuring this screen afresh. 25.10 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 271 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. ZyWALL 2 Plus User’s Guide...
25.11 Backup and Restore Section 40.5 on page 557 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. ZyWALL 2 Plus User’s Guide...
Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL 2 Plus User’s Guide...
Figure 277 Configuration Upload Error 25.11.3 Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears. ZyWALL 2 Plus User’s Guide...
Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot. Restart is different to reset; (see Section 25.11.3 on page 441) reset returns the device to its default configuration. Figure 279 MAINTENANCE > Restart ZyWALL 2 Plus User’s Guide...
• No parity, 8 data bits, 1 stop bit, flow control set to none. 26.2.1 Initial Screen When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. ZyWALL 2 Plus User’s Guide...
26.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Figure 282 Main Menu (Router Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1.
Chapter 26 Introducing the SMT Figure 283 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. ZyWALL 2 Plus User’s Guide...
Chapter 26 Introducing the SMT Note that as you type a password, the screen displays an “x” for each character you type. 26.5 Resetting the ZyWALL Section 2.3 on page 51 for directions on resetting the ZyWALL. ZyWALL 2 Plus User’s Guide...
Page 452
Chapter 26 Introducing the SMT ZyWALL 2 Plus User’s Guide...
The domain name entered by you is given priority over the ISP assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER]. ZyWALL 2 Plus User’s Guide...
MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). ZyWALL 2 Plus User’s Guide...
3 Press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS. 4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press [ENTER] to display Menu 1.1.1 - DDNS Host Summary. ZyWALL 2 Plus User’s Guide...
5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS Edit Host (see the next figure). ZyWALL 2 Plus User’s Guide...
Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address Defined of the host name(s) to the IP address specified below. Only select Yes if the ZyWALL uses or is behind a static public IP address. ZyWALL 2 Plus User’s Guide...
Page 458
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. ZyWALL 2 Plus User’s Guide...
Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
3 Menu 11.2 - Remote Node Profile (Backup ISP) as shown next Refer also to the section about traffic redirect for information on an alternate backup WAN connection. 28.4 Configuring Dial Backup in Menu 2 From the main menu, enter 2 to open menu 2. ZyWALL 2 Plus User’s Guide...
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 28.5 Advanced WAN Setup Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. ZyWALL 2 Plus User’s Guide...
This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. ZyWALL 2 Plus User’s Guide...
Pri Phone #= 0 Schedules= Sec Phone #= Always On= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
PPP connection. This option only applies when the ZyWALL initiates the call. Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. ZyWALL 2 Plus User’s Guide...
“PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server. ZyWALL 2 Plus User’s Guide...
You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Please refer to Chapter 37 on page 519 for more information on defining the filters. ZyWALL 2 Plus User’s Guide...
This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. ZyWALL 2 Plus User’s Guide...
From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 - TCP/IP and DHCP Ethernet Setup as shown next. Not all fields are available on all models. ZyWALL 2 Plus User’s Guide...
Client IP Pool: Starting Address This field specifies the first of the contiguous addresses in the IP address pool. Size of Client IP This field specifies the size, or count of the IP address pool. Pool ZyWALL 2 Plus User’s Guide...
[SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1 When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
Page 474
Chapter 29 LAN Setup ZyWALL 2 Plus User’s Guide...
Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
Network Address Translation feature. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server. 30.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen. ZyWALL 2 Plus User’s Guide...
You may deactivate the firewall in menu 21.2 or via the ZyWALL embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so. See the chapters on firewall for more information on the firewall. ZyWALL 2 Plus User’s Guide...
Figure 306 Menu 5.1: DMZ Port Filter Setup Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 29.4 on page 470 for information on how to configure these fields. ZyWALL 2 Plus User’s Guide...
RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 185 on page 473 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User’s Guide...
2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 7, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 7.2 - TCP/IP and DHCP Ethernet Setup as shown next. ZyWALL 2 Plus User’s Guide...
You must use menu 7.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 7.2.1 - IP Alias Setup, as shown next. ZyWALL 2 Plus User’s Guide...
IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 185 on page 473 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User’s Guide...
Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: 33.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. ZyWALL 2 Plus User’s Guide...
Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it correctly. Confirm ZyWALL 2 Plus User’s Guide...
The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. ZyWALL 2 Plus User’s Guide...
Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 189 on page 488. ZyWALL 2 Plus User’s Guide...
ZyWALL automatically disconnects the PPPoE connection. This option only applies when the ZyWALL initiates the call. 33.3.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. ZyWALL 2 Plus User’s Guide...
Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Remote Node Network Layer Options. Not all fields are available on all models. ZyWALL 2 Plus User’s Guide...
One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set. Chapter 17 on page 309 for a full discussion on this feature. ZyWALL 2 Plus User’s Guide...
This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.2 on page 141) The smaller the number, the higher priority the route has. ZyWALL 2 Plus User’s Guide...
Page 496
Fail Tolerance field. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. ZyWALL 2 Plus User’s Guide...
If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. Once you have completed filling in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
You apply NAT via menus 4 or 11.1.2 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup. ZyWALL 2 Plus User’s Guide...
IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 35.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. ZyWALL 2 Plus User’s Guide...
Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu. Menu 15.1.255 is read-only. ZyWALL 2 Plus User’s Guide...
Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The entire set will be deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. ZyWALL 2 Plus User’s Guide...
None disables the Select Rule item. Select When you choose Edit, Insert Before or Delete in the previous field the cursor jumps to Rule this field to allow you to select the rule to apply the action in question. ZyWALL 2 Plus User’s Guide...
Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many- to-One or Server. ZyWALL 2 Plus User’s Guide...
3 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x - NAT Server Configuration (see the next figure). ZyWALL 2 Plus User’s Guide...
FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
The following are some examples of NAT configuration. 35.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. ZyWALL 2 Plus User’s Guide...
Translation field. This is the Many-to-One mapping discussed in Section 35.4 on page 508. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.1.2 is specifically pre-configured to handle this case. ZyWALL 2 Plus User’s Guide...
IGA to an inside web server and mail server. Four rules need to be configured, two bi- directional and two uni-directional as follows. 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). ZyWALL 2 Plus User’s Guide...
IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15.2 and configure it as shown in Figure 342 on page 513. ZyWALL 2 Plus User’s Guide...
Figure 343 NAT Example 4 Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. ZyWALL 2 Plus User’s Guide...
Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
LAN can’t trigger it. Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports and configure trigger port rules for the WAN port. ZyWALL 2 Plus User’s Guide...
Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the web configurator to configure firewall rules. ZyWALL 2 Plus User’s Guide...
Active: Yes You can use the Web Configurator to configure the firewall. Press ENTER to Confirm or ESC to Cancel: Configure the firewall rules using the web configurator or CLI commands. ZyWALL 2 Plus User’s Guide...
Figure 349 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. ZyWALL 2 Plus User’s Guide...
A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule. See also Figure 355 on page 526 for the logic flow when executing an IP filter. ZyWALL 2 Plus User’s Guide...
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. ZyWALL 2 Plus User’s Guide...
3 Select the filter set you wish to configure (1-12) and press [ENTER] 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary. ZyWALL 2 Plus User’s Guide...
“N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Table 202 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number ZyWALL 2 Plus User’s Guide...
Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
When you have Menu 21.1.1.1 - TCP/IP Filter Rule configured, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. ZyWALL 2 Plus User’s Guide...
Chapter 37 Filter Configuration The following figure illustrates the logic flow of an IP filter. Figure 355 Executing an IP Filter ZyWALL 2 Plus User’s Guide...
If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No. ZyWALL 2 Plus User’s Guide...
5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. ZyWALL 2 Plus User’s Guide...
M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example). ZyWALL 2 Plus User’s Guide...
• Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. • Packet filtering only checks the header portion of an IP packet. ZyWALL 2 Plus User’s Guide...
37.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. ZyWALL 2 Plus User’s Guide...
A blank (default) field means your ZyWALL will respond to all SNMP messages it receives, regardless of source. Trap Community Type the Trap community, which is the password sent with each trap to the SNMP manager. ZyWALL 2 Plus User’s Guide...
(for example, download new files, CI command "sys reboot", etc.). For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. ZyWALL 2 Plus User’s Guide...
To get to the System Status: 1 Enter number 24 to go to Menu 24 - System Maintenance. 2 In this menu, enter 1 to open System Maintenance - Status. ZyWALL 2 Plus User’s Guide...
This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. ZyWALL 2 Plus User’s Guide...
Menu 24.2.1 - System Maintenance - Information Name: zy2.zyxel.com Routing: IP ZyNOS F/W Version: V4.01(XU.0)b1 | 08/08/2006 Country Code: 255 Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: ZyWALL 2 Plus User’s Guide...
Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Country Code Refers to the country code of the firmware. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
Figure 372 Menu 24.3.2: System Maintenance: Syslog Logging Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= No Syslog Server IP Address= 0.0.0.0 Log Facility= Local 1 Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
Follow the procedure below to get to Menu 24.4 - System Maintenance - Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. ZyWALL 2 Plus User’s Guide...
WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. ZyWALL 2 Plus User’s Guide...
Page 547
If you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field. Enter the number of the selection you would like to perform or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
Page 548
Chapter 39 System Information & Diagnosis ZyWALL 2 Plus User’s Guide...
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Please note that terms “download” and “upload” are relative to the computer. Download means to transfer from the ZyWALL to the computer, while upload means from your computer to the ZyWALL. 40.3.1 Backup Configuration Follow the instructions as shown in the next screen. ZyWALL 2 Plus User’s Guide...
6 Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. 7 Enter “quit” to exit the ftp prompt. ZyWALL 2 Plus User’s Guide...
4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. ZyWALL 2 Plus User’s Guide...
Use “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. ZyWALL 2 Plus User’s Guide...
Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu. ZyWALL 2 Plus User’s Guide...
For details on FTP commands, please consult the documentation of your FTP client program. For details on restoring using TFTP (note that you must remain on this menu to restore using TFTP), please see your router manual. Press ENTER to Exit: ZyWALL 2 Plus User’s Guide...
2 The following screen indicates that the Xmodem download has started. Figure 385 System Maintenance: Starting Xmodem Download Screen Starting XMODEM download (CRC mode) ...CCCCCCCCC 3 Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen. ZyWALL 2 Plus User’s Guide...
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. ZyWALL 2 Plus User’s Guide...
FTP client program. For details on uploading configuration file using TFTP (note that you must remain on this menu to upload configuration file using TFTP), please see your manual. Press ENTER to Exit: To upload the firmware and the configuration file, follow these examples ZyWALL 2 Plus User’s Guide...
1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. ZyWALL 2 Plus User’s Guide...
40.5.8 Uploading Firmware File Via Console Port 1 Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen. ZyWALL 2 Plus User’s Guide...
40.5.10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. ZyWALL 2 Plus User’s Guide...
40.5.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Figure 394 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. ZyWALL 2 Plus User’s Guide...
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 396 Valid Commands Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ras> ? Valid commands are:...
24.9 - System Maintenance - Call Control to bring up the following menu. Figure 398 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): ZyWALL 2 Plus User’s Guide...
Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 216 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. ZyWALL 2 Plus User’s Guide...
Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen. ZyWALL 2 Plus User’s Guide...
Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings. If you use daylight savings time, then choose Yes. ZyWALL 2 Plus User’s Guide...
Page 569
GMT or UTC (GMT+1). Once you have filled in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
Page 570
Chapter 41 System Maintenance Menus 8 to 10 ZyWALL 2 Plus User’s Guide...
You can also disable a service on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces. To disable remote management of a service, select Disable in the corresponding Access field. Enter 11 from menu 24 to bring up Menu 24.11 - Remote Management Control. ZyWALL 2 Plus User’s Guide...
Press [SPACE BAR] and then [ENTER] to select the certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL). ZyWALL 2 Plus User’s Guide...
5 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 6 There is a firewall rule that blocks it. ZyWALL 2 Plus User’s Guide...
Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. ZyWALL 2 Plus User’s Guide...
Enter the start date when you wish the set to take effect in year -month-date format. Valid dates are from the present to 2036-February-5. Once: Date If you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format. Weekdays: ZyWALL 2 Plus User’s Guide...
Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s). ZyWALL 2 Plus User’s Guide...
Authen= CHAP/PAP PPTP: Session Options: My IP Addr= Edit Filter Sets= No My IP Mask= Idle Timeout(sec)= 100 Server IP Addr= Connection ID/Name= Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access •...
Chapter 44 Troubleshooting 44.2 ZyWALL Access and Login I forgot the IP address for the ZyWALL. 1 The default IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
Page 581
Chapter 44 Troubleshooting 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • You may also need to clear your Internet browser’s cache. In Internet Explorer, click Tools and then Internet Options to open the Internet Options screen.
Chapter 44 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use the console port to access the ZyWALL. 1 Check to see if the ZyWALL is connected to your computer's console port. 2 Check to see if the communications program is configured correctly.
Page 583
Chapter 44 Troubleshooting The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator or SMT). 2 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
Chapter 44 Troubleshooting interfering with the wireless network (for example, microwaves, other wireless networks, and so on). 3 Reboot the ZyWALL. 4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions •...
Page 585
Chapter 44 Troubleshooting Restart your computer. I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. 1 Wait more than three minutes. 2 Restart the applications. [Document Title]...
Use the web configurator to easily configure the rich range of features on the ZyWALL. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
Page 590
DNS servers to computers on your network. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can use a fixed URL, www.zyxel.com for example, with a dynamic IP address. You must register for this service with a Dynamic DNS service provider. IP Multicast IP multicast is used to send traffic to a specific group of computers.
The console cable and dial backup cable each have an RJ-45 connector and a DB-9 connector. The pin layout for the DB-9 connector end of the cables is as follows. Figure 407 Console/Dial Backup Cable DB-9 End Pin Layout Pins 2,3 and 5 are used. ZyWALL 2 Plus User’s Guide...
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. ZyWALL 2 Plus User’s Guide...
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. ZyWALL 2 Plus User’s Guide...
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyWALL 2 Plus User’s Guide...
3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. ZyWALL 2 Plus User’s Guide...
Figure 411 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 412 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 2 Plus User’s Guide...
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. ZyWALL 2 Plus User’s Guide...
To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. ZyWALL 2 Plus User’s Guide...
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. ZyWALL 2 Plus User’s Guide...
Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. ZyWALL 2 Plus User’s Guide...
2 Select Ethernet built-in from the Connect via list. Figure 419 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: ZyWALL 2 Plus User’s Guide...
2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. ZyWALL 2 Plus User’s Guide...
Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. ZyWALL 2 Plus User’s Guide...
Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 423 Red Hat 9.0: KDE: Ethernet Device: General ZyWALL 2 Plus User’s Guide...
Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. • If you have a dynamic IP address, enter in the field. The dhcp BOOTPROTO= following figure shows an example. ZyWALL 2 Plus User’s Guide...
Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig ZyWALL 2 Plus User’s Guide...
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 431 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyWALL 2 Plus User’s Guide...
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. ZyWALL 2 Plus User’s Guide...
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 434 Pop-up Blocker Settings ZyWALL 2 Plus User’s Guide...
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. ZyWALL 2 Plus User’s Guide...
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 437 Security Settings - Java ZyWALL 2 Plus User’s Guide...
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 438 Java (Sun) ZyWALL 2 Plus User’s Guide...
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyWALL 2 Plus User’s Guide...
Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. ZyWALL 2 Plus User’s Guide...
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 230 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 ZyWALL 2 Plus User’s Guide...
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. ZyWALL 2 Plus User’s Guide...
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 235 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS ZyWALL 2 Plus User’s Guide...
Page 622
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. ZyWALL 2 Plus User’s Guide...
User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL 2 Plus User’s Guide...
Page 624
This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. ZyWALL 2 Plus User’s Guide...
Page 625
TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL 2 Plus User’s Guide...
Page 626
Appendix E Common Services ZyWALL 2 Plus User’s Guide...
The following example procedure shows how to import the ZyWALL’s (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in the following screen. ZyWALL 2 Plus User’s Guide...
Appendix F Importing Certificates Figure 443 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 444 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 2 Plus User’s Guide...
Figure 445 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 446 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 2 Plus User’s Guide...
Appendix F Importing Certificates Figure 447 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 448 Root Certificate Store ZyWALL 2 Plus User’s Guide...
You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA web configurator screen). ZyWALL 2 Plus User’s Guide...
The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL 2 Plus User’s Guide...
You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL 2 Plus User’s Guide...
2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 453 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL 2 Plus User’s Guide...
4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 455 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL 2 Plus User’s Guide...
2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. ZyWALL 2 Plus User’s Guide...
Appendix F Importing Certificates Figure 459 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 460 ZyWALL Secure Login Screen ZyWALL 2 Plus User’s Guide...
Page 638
Appendix F Importing Certificates ZyWALL 2 Plus User’s Guide...
Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
• Use the command to show the logs in an sys logs display [log category] individual ZyWALL log category. • Use the command to erase all of the ZyWALL’s logs. sys logs clear ZyWALL 2 Plus User’s Guide...
IP addresses connected to the LAN, DMZ or WLAN. By default the ZyWALL routes traffic that does not match a NAT rule out through the DMZ interface. The following command example sets the ZyWALL to route traffic that does not match a NAT rule through the WLAN interface. ZyWALL 2 Plus User’s Guide...
ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous ZyWALL 2 Plus User’s Guide...
IP address of the computer to which it is sending the packets. The following figure shows an example of this. The ZyWALL uses the IP addresses of computers A and B to manage the bandwidth of the VPN traffic for their respective IPSec ZyWALL 2 Plus User’s Guide...
With this setting the bandwidth management applies to ESP or AH packets so you can only specify IP addresses. You cannot specify a service or port numbers. Setting the Key Length for Phase 2 IPSec AES Encryption Syntax: ipsec ipsecConfig encryKeyLen <0:128 | 1:192 | 2:256> ZyWALL 2 Plus User’s Guide...
This command shows all of the attack response settings. config display firewall e-mail This command shows all of the e-mail settings. This command shows all of the available config display firewall ? firewall sub commands. ZyWALL 2 Plus User’s Guide...
Page 648
This command sets the number of minutes for config edit firewall attack new sessions to be blocked when the tcp- block-minute <0-255> max-incomplete threshold is reached. This command is only valid when block is set to yes. ZyWALL 2 Plus User’s Guide...
Page 649
<seconds> This command sets how long the ZyWALL Config edit firewall set <set leaves a TCP session open after the firewall #> fin-wait-timeout <seconds> detects a FIN-exchange (indicating the end of the TCP session). ZyWALL 2 Plus User’s Guide...
Page 650
<start ip address> <end ip address> This command sets the rule to have the config edit firewall set <set ZyWALL check for traffic with this individual #> rule <rule #> destaddr- destination address. single <ip address> ZyWALL 2 Plus User’s Guide...
Page 651
This command removes the specified set config delete firewall set from the firewall configuration. <set #> This command removes the specified rule in a config delete firewall set firewall configuration set. <set #> rule<rule #> ZyWALL 2 Plus User’s Guide...
Page 652
Appendix H Firewall Commands ZyWALL 2 Plus User’s Guide...
This command gives a read-only list of the current NetBIOS filter modes for The ZyWALL. NetBIOS Display Filter Settings Command Example =========== NetBIOS Filter Status =========== Between LAN and WAN: Block Between LAN and DMZ: Block Between WAN and DMZ: Block IPSec Packets: Forward Trigger Dial: Disabled ZyWALL 2 Plus User’s Guide...
This command forwards LAN to DMZ and DMZ to LAN NetBIOS sys filter netbios config 1 off packets. This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off ZyWALL 2 Plus User’s Guide...
(required). The format is "subject-name- dn;{ip,dns,email}=value". If the name contains spaces, please put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2048. The default is 1024 bits. ZyWALL 2 Plus User’s Guide...
Page 656
Create a certificate using your device MAC replace_fac address that will be specific to this device. The tory factory default certificate is a common default certificate for all ZyWALL models. ZyWALL 2 Plus User’s Guide...
Page 657
(optional). The default timeout value is 20 seconds. Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names list and basic information. ZyWALL 2 Plus User’s Guide...
Page 658
<old name> name> specifies the name of the directory <new name> server to be renamed. <new name> specifies the new name as which the directory server is to be saved. cert_manager Reinitialize the certificate manager. reinit ZyWALL 2 Plus User’s Guide...
1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. ZyWALL 2 Plus User’s Guide...
Page 660
Appendix K Brute-Force Password Guessing Protection ZyWALL 2 Plus User’s Guide...
ATSH command shows product related information such as boot module version, vendor name, product model, RAS code revision, etc. ATGO allows you to continue booting the system. Most other commands aid in advanced troubleshooting and should only be used by qualified engineers. ZyWALL 2 Plus User’s Guide...
Page 662
ATTD download router configuration to PC via XMODEM ATUR upload router firmware to flash ROM ATLC upload router configuration file to flash ROM ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode ATSR system reboot ZyWALL 2 Plus User’s Guide...
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 665
Appendix M Legal Information ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
Page 666
Appendix M Legal Information ZyWALL 2 Plus User’s Guide...
464, 490 certificate certificates and IKE SA thumbprint algorithms thumbprints verifying fingerprints backup configuration 440, 550 TFTP Certification Authority. See CA. bandwidth class certifications notices bandwidth filter viewing bandwidth management changing the password address type ZyWALL 2 Plus User’s Guide...
Page 672
239, 245 DDNS and active protocol configuration 454, 455 host entering information offline type and transport mode use server detected IP ESSID wildcard Ethernet default configuration encapsulation 68, 475, 488 default server IP address ZyWALL 2 Plus User’s Guide...
Page 673
VPN 85, 89 and certificates service type and RADIUS SMT menus authentication algorithms 239, 245 stateful inspection Diffie-Hellman key group TCP maximum incomplete encryption algorithms 239, 245 three-way handshake extended authentication threshold ID content ZyWALL 2 Plus User’s Guide...
Page 674
VPN tunnel mode application when IKE SA is disconnected 244, 251 configuring IPSec SA. See also VPN. default server IP address definitions IPSec. See also VPN. examples ISP parameters how NAT works in the SMT ZyWALL 2 Plus User’s Guide...
Page 675
FTP using SSH ping secure telnet using SSH Point-to-Point Protocol over Ethernet. See PPPoE SNMP Point-to-Point Tunneling Protocol. See PPTP. SSH implementation pool of IP addresses 125, 128 system timeout port filter setup Telnet ZyWALL 2 Plus User’s Guide...
Page 676
325, 497 stop bit BPDU Hello BPDU how it works Max Age life time port states safety warnings STUN schedule 489, 492 duration subnet scheduler subnet mask 123, 616 secure FTP using SSH ZyWALL 2 Plus User’s Guide...
Page 677
VPN. See also IKE SA, IPSec SA. traffic VT100 terminal emulation redirect transparent firewall 55, 137, 434, 436 triangle routes vs virtual interfaces trigger port forwarding Trivial File Transfer Protocol. See TFTP. file maintenance ZyWALL 2 Plus User’s Guide...
Page 678
WINS 126, 128 WINS server wireless channel wireless LAN wireless security wizard setup WLAN IP alias setup TCP/IP setup www.dyndns.org Xmodem file upload protocol ZyNOS 540, 550 ZyWALL registration ZyXEL’s Network Operating System. See ZyNOS. ZyWALL 2 Plus User’s Guide...