Page 1 ZyWALL 5/35/70 Series Internet Security Appliance User’s Guide Version 4.02 3/2007 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
• Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 5/35/70 Series User’s Guide...
Page 6: Safety Warnings
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7 Safety Warnings ZyWALL 5/35/70 Series User’s Guide...
Page 8 Safety Warnings ZyWALL 5/35/70 Series User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................53 Getting to Know Your ZyWALL ....................55 Introducing the Web Configurator ....................61 Wizard Setup ..........................85 Tutorial ............................. 105 Registration ..........................119 Network ..........................125 LAN Screens ........................... 127 Bridge Screens ........................139 WAN Screens ..........................
Page 10 Contents Overview Reports, Logs and Maintenance ..................487 Reports ............................ 489 Logs Screens ........................... 501 Maintenance ..........................529 SMT and Troubleshooting ....................545 Introducing the SMT ........................ 547 SMT Menu 1 - General Setup ....................555 WAN and Dial Backup Setup ....................561 LAN Setup ..........................
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................4 Safety Warnings........................6 Contents Overview ........................9 Table of Contents........................11 List of Figures ......................... 31 List of Tables........................... 45 Part I: Introduction................. 53 Chapter 1 Getting to Know Your ZyWALL....................
Page 12 Table of Contents 2.4.4 HOME Screen: Bridge Mode ..................69 2.4.5 Navigation Panel ......................73 2.4.6 Port Statistics ......................78 2.4.7 Show Statistics: Line Chart ..................79 2.4.8 DHCP Table Screen ....................80 2.4.9 VPN Status ......................... 81 2.4.10 Bandwidth Monitor ....................82 Chapter 3 Wizard Setup ...........................
Page 13 Table of Contents 5.3 Service ..........................122 Part II: Network..................125 Chapter 6 LAN Screens.......................... 127 6.1 LAN, WAN and the ZyWALL ....................127 6.2 IP Address and Subnet Mask .................... 127 6.2.1 Private IP Addresses ....................128 6.3 DHCP ..........................129 6.3.1 IP Pool Setup ......................
Page 14 Table of Contents 8.7 Configuring Load Balancing ....................153 8.7.1 Least Load First ....................... 153 8.7.2 Weighted Round Robin .................... 154 8.7.3 Spillover ........................154 8.8 WAN IP Address Assignment .................... 155 8.9 DNS Server Address Assignment ..................156 8.10 WAN MAC Address ......................156 8.11 WAN ..........................
Page 15 Table of Contents 10.6.4 Hide ZyWALL Identity ..................... 199 10.7 Security Parameters Summary ..................199 10.8 WEP Encryption ......................199 10.9 802.1x Overview ......................199 10.9.1 Introduction to RADIUS ..................200 10.9.2 EAP Authentication Overview ................200 10.10 Dynamic WEP Key Exchange ..................201 10.11 Introduction to WPA .......................
Page 16 Table of Contents 11.9 Firewall Rule Summary ....................236 11.9.1 Firewall Edit Rule ....................237 11.10 Anti-Probing ....................... 240 11.11 Firewall Thresholds ..................... 241 11.11.1 Threshold Values ....................242 11.12 Threshold Screen ......................242 11.13 Service .......................... 244 11.13.1 Firewall Edit Custom Service ................245 11.14 My Service Firewall Rule Example ................
Page 17 Table of Contents 14.2.1 How the ZyWALL Anti-Virus Scanner Works ............272 14.2.2 Notes About the ZyWALL Anti-Virus ..............273 14.3 General Anti-Virus Setup ....................274 14.4 Signature Searching ......................276 14.4.1 Signature Search Example ..................278 14.5 Signature Update ......................279 14.5.1 mySecurityZone .....................
Page 18 Table of Contents 17.1 Checking Content Filtering Activation ................315 17.2 Viewing Content Filtering Reports ................... 315 17.3 Web Site Submission ....................... 320 Chapter 18 IPSec VPN..........................323 18.1 IPSec VPN Overview ..................... 323 18.1.1 IKE SA Overview ....................324 18.2 VPN Rules (IKE) ......................
Page 19 Table of Contents 19.2 Self-signed Certificates ....................362 19.3 Verifying a Certificate ....................... 362 19.3.1 Checking the Fingerprint of a Certificate on Your Computer ........362 19.4 Configuration Summary ....................363 19.5 My Certificates ........................ 364 19.6 My Certificate Details ..................... 366 19.7 My Certificate Export ......................
Page 20 Table of Contents 21.3 NAT Overview Screen ..................... 398 21.4 NAT Address Mapping ....................399 21.4.1 What NAT Does ..................... 400 21.4.2 NAT Address Mapping Edit .................. 401 21.5 Port Forwarding ......................402 21.5.1 Default Server IP Address ..................403 21.5.2 Port Forwarding: Services and Port Numbers ............
Page 21 Table of Contents 24.9 Maximize Bandwidth Usage With Bandwidth Borrowing ..........426 24.10 Over Allotment of Bandwidth ..................427 24.11 Configuring Summary ....................427 24.12 Configuring Class Setup ....................429 24.12.1 Bandwidth Manager Class Configuration ............430 24.12.2 Bandwidth Management Statistics ..............
Page 22 27.1.1 How Do I Know If I'm Using UPnP? ............... 471 27.1.2 NAT Traversal ......................471 27.1.3 Cautions with UPnP ....................471 27.1.4 UPnP and ZyXEL ....................472 27.2 Configuring UPnP ......................472 27.3 Displaying UPnP Port Mapping ..................473 27.4 Installing UPnP in Windows Example ................
Page 23 Table of Contents 28.5 SIP ........................... 484 28.5.1 STUN ........................484 28.5.2 SIP ALG Details ..................... 484 28.5.3 SIP Signaling Session Timeout ................485 28.5.4 SIP Audio Session Timeout ..................485 28.6 ALG Screen ........................485 Part V: Reports, Logs and Maintenance ..........487 Chapter 29 Reports ..........................
Page 24 Table of Contents 31.7 Transparent Firewalls ...................... 536 31.8 Configuring Device Mode (Router) ................. 536 31.9 Configuring Device Mode (Bridge) ................. 538 31.10 F/W Upload Screen ...................... 539 31.11 Backup and Restore ..................... 541 31.11.1 Backup Configuration ................... 542 31.11.2 Restore Configuration ..................542 31.11.3 Back to Factory Defaults ..................
Page 25 Table of Contents 34.4 3G WAN ........................... 570 34.4.1 3G Modem Setup ....................571 34.4.2 Remote Node Profile (3G WAN) ................571 Chapter 35 LAN Setup..........................575 35.1 Introduction to LAN Setup ....................575 35.2 Accessing the LAN Menus ....................575 35.3 LAN Port Filter Setup .......................
Page 26 Table of Contents Chapter 40 Remote Node Setup......................601 40.1 Introduction to Remote Node Setup ................601 40.2 Remote Node Setup ......................601 40.3 Remote Node Profile Setup ..................... 602 40.3.1 Ethernet Encapsulation ..................602 40.3.2 PPPoE Encapsulation .................... 603 40.3.3 PPTP Encapsulation ....................
Page 27 Table of Contents 44.2.3 Configuring a Generic Filter Rule ................644 44.3 Example Filter ........................646 44.4 Filter Types and NAT ....................... 648 44.5 Firewall Versus Filters ..................... 648 44.5.1 Packet Filtering: ..................... 648 44.5.2 Firewall ........................649 44.6 Applying a Filter ......................649 44.6.1 Applying LAN Filters ....................
Page 28 Table of Contents 47.3.9 Backup Via Console Port ..................671 47.4 Restore Configuration ...................... 672 47.4.1 Restore Using FTP ....................673 47.4.2 Restore Using FTP Session Example ..............674 47.4.3 Restore Via Console Port ..................674 47.5 Uploading Firmware and Configuration Files ..............675 47.5.1 Firmware File Upload .....................
Page 29 Table of Contents Chapter 52 Troubleshooting........................705 52.1 Power, Hardware Connections, and LEDs ..............705 52.2 ZyWALL Access and Login ....................706 52.3 Internet Access ........................ 708 52.4 Wireless Router/AP Troubleshooting ................709 52.5 UPnP ..........................710 Part VII: Appendices and Index ............711 Appendix A Product Specifications..................
Page 30 Table of Contents ZyWALL 5/35/70 Series User’s Guide...
Page 31: List Of Figures
List of Figures List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........... 57 Figure 2 VPN Application ........................57 Figure 3 3G WAN Application ......................... 58 Figure 4 ZyWALL 70 Front Panel ......................58 Figure 5 ZyWALL 35 Front Panel ......................
Page 32 List of Figures Figure 39 IDP Configuration for To VPN Traffic ..................108 Figure 40 Firewall Rule for VPN ......................109 Figure 41 SECURITY > VPN > VPN Rules (IKE) ................109 Figure 42 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ..........110 Figure 43 SECURITY >...
Page 33 List of Figures Figure 82 NETWORK > DMZ ......................180 Figure 83 NETWORK > DMZ > Static DHCP ..................183 Figure 84 NETWORK > DMZ > IP Alias ....................184 Figure 85 DMZ Public Address Example ....................186 Figure 86 DMZ Private and Public Address Example ................187 Figure 87 NETWORK >...
Page 34 List of Figures Figure 125 SECURITY > FIREWALL > Threshold ................242 Figure 126 SECURITY > FIREWALL > Service ................... 244 Figure 127 Firewall Edit Custom Service ..................... 245 Figure 128 My Service Firewall Rule Example: Service ..............246 Figure 129 My Service Firewall Rule Example: Edit Custom Service ..........247 Figure 130 My Service Firewall Rule Example: Rule Summary ............
Page 35 List of Figures Figure 168 Blue Coat: Report Home ....................318 Figure 169 Global Report Screen Example ..................319 Figure 170 Requested URLs Example ....................320 Figure 171 Web Page Review Process Screen ................... 321 Figure 172 VPN: Example ........................323 Figure 173 VPN: IKE SA and IPSec SA ....................
Page 36 List of Figures Figure 211 SECURITY > CERTIFICATES > Directory Server > Add ........... 385 Figure 212 SECURITY > AUTH SERVER > Local User Database ............388 Figure 213 SECURITY > AUTH SERVER > RADIUS ................389 Figure 214 How NAT Works ......................... 395 Figure 215 NAT Application With IP Alias ....................
Page 37 List of Figures Figure 254 How SSH Works ......................... 458 Figure 255 ADVANCED > REMOTE MGMT > SSH ................459 Figure 256 SSH Example 1: Store Host Key ..................460 Figure 257 SSH Example 2: Test ......................460 Figure 258 SSH Example 2: Log in ...................... 461 Figure 259 Secure FTP: Firmware Upload Example ................
Page 38 List of Figures Figure 297 MAINTENANCE > Device Mode (Bridge Mode) ..............538 Figure 298 MAINTENANCE > Firmware Upload .................. 540 Figure 299 Firmware Upload In Process ....................540 Figure 300 Network Temporarily Disconnected ..................541 Figure 301 Firmware Upload Error ....................... 541 Figure 302 MAINTENANCE >...
Page 39 List of Figures Figure 340 Menu 6: Route Setup ......................591 Figure 341 Menu 6.1: Route Assessment .................... 591 Figure 342 Menu 6.2: Traffic Redirect ....................592 Figure 343 Menu 6.3: Route Failover ....................593 Figure 344 Menu 7.1: Wireless Setup ....................595 Figure 345 Menu 7.1.1: WLAN MAC Address Filter ................
Page 40 List of Figures Figure 383 Menu 21: Filter and Firewall Setup ..................635 Figure 384 Menu 21.2: Firewall Setup ....................636 Figure 385 Outgoing Packet Filtering Process ..................637 Figure 386 Filter Rule Process ......................639 Figure 387 Menu 21: Filter and Firewall Setup ..................640 Figure 388 Menu 21.1: Filter Set Configuration ..................
Page 41 List of Figures Figure 426 Menu 24.7.1 As Seen Using the Console Port ..............679 Figure 427 Example Xmodem Upload ....................679 Figure 428 Menu 24.7.2 As Seen Using the Console Port ..............680 Figure 429 Example Xmodem Upload ....................680 Figure 430 Command Mode in Menu 24 ....................
Page 42 List of Figures Figure 469 Windows XP: Advanced TCP/IP Properties ............... 740 Figure 470 Windows XP: Internet Protocol (TCP/IP) Properties ............741 Figure 471 Macintosh OS 8/9: Apple Menu ..................742 Figure 472 Macintosh OS 8/9: TCP/IP ....................742 Figure 473 Macintosh OS X: Apple Menu .................... 743 Figure 474 Macintosh OS X: Network ....................
Page 43 List of Figures Figure 512 Certificate Import Wizard 1 ....................793 Figure 513 Certificate Import Wizard 2 ....................793 Figure 514 Certificate Import Wizard 3 ....................794 Figure 515 Root Certificate Store ......................794 Figure 516 Certificate General Information after Import ............... 795 Figure 517 ZyWALL Trusted CA Screen ....................
Page 44 List of Figures ZyWALL 5/35/70 Series User’s Guide...
Page 45: List Of Tables
List of Tables List of Tables Table 1 ZyWALL Model Specific Features ..................... 56 Table 2 Front Panel Lights ........................59 Table 3 Title Bar: Web Configurator Icons ..................... 65 Table 4 Web Configurator HOME Screen in Router Mode ..............66 Table 5 Web Configurator HOME Screen in Bridge Mode ..............
Page 46 List of Tables Table 39 Example of Network Properties for LAN Servers with Fixed IP Addresses ......156 Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) ............158 Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) ............161 Table 42 NETWORK >...
Page 47 List of Tables Table 82 SECURITY > IDP > Update ....................268 Table 83 Common Computer Virus Types ................... 271 Table 84 SECURITY > ANTI-VIRUS > General .................. 275 Table 85 SECURITY > ANTI-VIRUS > Signature: Query View ............277 Table 86 SECURITY >...
Page 48 List of Tables Table 125 ADVANCED > NAT > NAT Overview .................. 398 Table 126 ADVANCED > NAT > Address Mapping ................401 Table 127 ADVANCED > NAT > Address Mapping > Edit ..............402 Table 128 Services and Port Numbers ....................403 Table 129 ADVANCED >...
Page 49 List of Tables Table 168 Report Specifications ......................494 Table 169 REPORTS > THREAT REPORTS > IDP ................495 Table 170 REPORTS > THREAT REPORTS > Anti-Virus ..............497 Table 171 REPORTS > THREAT REPORTS > Anti-Spam ..............498 Table 172 LOGS > View Log ....................... 502 Table 173 Log Description Example ....................
Page 50 List of Tables Table 211 Menu 1: General Setup (Router Mode) ................555 Table 212 Menu 1: General Setup (Bridge Mode) ................556 Table 213 Menu 1.1: Configure Dynamic DNS ..................557 Table 214 Menu 1.1.1: DDNS Host Summary ..................558 Table 215 Menu 1.1.1: DDNS Edit Host ....................
Page 51 Table 271 Firmware Specifications ...................... 714 Table 272 Feature Specifications ......................715 Table 273 Performance ........................716 Table 274 Compatible ZyXEL WLAN Cards and Security Features ............ 716 Table 275 Console/Dial Backup Port Pin Assignments ............... 720 Table 276 Ethernet Cable Pin Assignments ..................720 Table 277 Classes of IP Addresses .....................
Page 52 List of Tables Table 297 Brute-Force Password Guessing Protection Commands ........... 813 ZyWALL 5/35/70 Series User’s Guide...
Page 53: Introduction
Introduction Getting to Know Your ZyWALL (55) Introducing the Web Configurator (61) Wizard Setup (85) Tutorial (105) Registration (119)
Page 55: Getting To Know Your Zywall
H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), anti-virus and certificates.
Page 56: Ways To Manage The Zywall
Chapter 1 Getting to Know Your ZyWALL See the product specifications in the appendix for a complete list of features. Table 1 ZyWALL Model Specific Features MODEL # FEATURE Two WAN Ports 3G Card Supported Load Balancing Changing Port Roles between LAN and DMZ Changing Port Roles between LAN and WLAN Table Key: An O in a mode’s column shows that the device mode has the specified feature.
Page 57: Applications For The Zywall
Chapter 1 Getting to Know Your ZyWALL • Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings.
Page 58: Wan Application (Zywall 5 Only)
Chapter 1 Getting to Know Your ZyWALL 1.5.3 3G WAN Application (ZyWALL 5 Only) Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station. At the time of writing, only ZyWALL 5 supports 3G, so all 3G descriptions relate to ZyWALL 5 only.
Page 59: Table 2 Front Panel Lights
Chapter 1 Getting to Know Your ZyWALL The following table describes the lights. Table 2 Front Panel Lights COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. The power to the ZyWALL is too low. Green The ZyWALL is not ready or has failed.
Page 60 Chapter 1 Getting to Know Your ZyWALL ZyWALL 5/35/70 Series User’s Guide...
Page 61: Introducing The Web Configurator
H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 62: Figure 7 Change Password Screen
Chapter 2 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 7 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Page 63: Resetting The Zywall
5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
Page 64: Navigating The Zywall Web Configurator
Chapter 2 Introducing the Web Configurator 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models.
Page 65: Main Window
Chapter 2 Introducing the Web Configurator The icons provide the following functions. Table 3 Title Bar: Web Configurator Icons ICON DESCRIPTION Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3 on page 85 for more information. Help: Click this icon to open the help page for the current screen.
Page 66: Table 4 Web Configurator Home Screen In Router Mode
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 67 Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Interfaces This is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface’s label to display the interface’s MAC Address. Click an interface’s label to go to the screen where you can configure settings for that interface.
Page 68 Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Intrusion Detected This displays how many intrusions the ZyWALL has detected since it last started up. N/A displays when there is no Turbo Card installed or the service subscription has expired.
Page 69: Home Screen: Bridge Mode
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION 3G Card IMEI This displays the International Mobile Equipment Number (IMEI) which is the serial number of the 3G wireless card. IMEI is a unique 15-digit number used to identify a mobile device.
Page 70: Figure 12 Web Configurator Home Screen In Bridge Mode
This is the bootbase version and the date created. Version Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Page 71 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 72 Chapter 2 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port.
Page 73: Navigation Panel
Chapter 2 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Status Port Statistics Click Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port. Click VPN to display the active VPN connections.
Page 74: Table 7 Screens Summary
Chapter 2 Introducing the Web Configurator Table 6 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE UPnP Reports Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 75 Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION Use this screen to configure your DMZ connection. Static DHCP Use this screen to assign fixed IP addresses on the DMZ. IP Alias Use this screen to partition your DMZ interface into subnets. Port Roles Use this screen to change the DMZ/WLAN port roles on the ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or...
Page 76 Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION ANTI-SPAM General Use this screen to turn the anti-spam feature on or off and set how the ZyWALL treats spam. External DB Use this screen to enable or disable the use of the anti-spam external database.
Page 77 Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION System Use this screen to configure the address and name server records. Cache Use this screen to configure the DNS resolution cache. DHCP Use this screen to configure LAN/DMZ/WLAN DNS information. DDNS Use this screen to set up dynamic DNS.
Page 78: Port Statistics
Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION MAINTENANCE General This screen contains administrative. Password Use this screen to change your password. Time and Date Use this screen to change your ZyWALL’s time and date. Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge.
Page 79: Show Statistics: Line Chart
Chapter 2 Introducing the Web Configurator Table 8 HOME > Show Statistics (continued) LABEL DESCRIPTION Status For the WAN interface(s) and the Dial Backup port, this displays the port speed and duplex setting if you’re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
Page 80: Dhcp Table Screen
Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. Table 9 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s).
Page 81: Vpn Status
Chapter 2 Introducing the Web Configurator Table 10 HOME > DHCP Table (continued) LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory.
Page 82: Bandwidth Monitor
Chapter 2 Introducing the Web Configurator Table 11 HOME > VPN Status LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Automatic Select a number of seconds or None from the drop-down list box to update all Refresh Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 83 Chapter 2 Introducing the Web Configurator Table 12 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Automatic Refresh Select a number of seconds or None from the drop-down list box to update all Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 84 Chapter 2 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide...
Page 85: Wizard Setup
H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Page 86: Isp Parameters
Chapter 3 Wizard Setup 3.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 3.2.1.1 Ethernet For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets.
Page 87: Figure 20 Isp Parameters: Pppoe Encapsulation
Chapter 3 Wizard Setup Table 13 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION My WAN IP Enter your WAN IP address in this field. Address My WAN IP Enter the IP subnet mask in this field. Subnet Mask Gateway IP Enter the gateway IP address in this field. Address First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right.
Page 88: Table 14 Isp Parameters: Pppoe Encapsulation
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 14 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider.
Page 89: Figure 21 Isp Parameters: Pptp Encapsulation
Chapter 3 Wizard Setup Figure 21 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 90: Internet Access Wizard: Second Screen
Chapter 3 Wizard Setup Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Enter the connection ID or connection name in this field.
Page 91: Internet Access Wizard: Registration
Chapter 3 Wizard Setup Figure 23 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 22 on page 90), the following screen displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, anti- spam, anti-virus and IDP.
Page 92: Figure 24 Internet Access Wizard: Registration
Chapter 3 Wizard Setup Figure 24 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 16 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available.
Page 93: Internet Access Wizard: Status
Chapter 3 Wizard Setup Figure 25 Internet Access Wizard: Registration in Progress 3.2.4 Internet Access Wizard: Status This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done. Figure 26 Internet Access Wizard: Status The following screen appears if the registration was not successful.
Page 94: Internet Access Wizard: Service Activation
Chapter 3 Wizard Setup Figure 27 Internet Access Wizard: Registration Failed 3.2.5 Internet Access Wizard: Service Activation If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
Page 95: Vpn Wizard Gateway Setting
Chapter 3 Wizard Setup 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 18 on page 85) to open the VPN configuration wizard.
Page 96: Vpn Wizard Network Setting
Chapter 3 Wizard Setup Table 17 VPN Wizard: Gateway Setting LABEL DESCRIPTION Remote Enter the WAN IP address or domain name of the remote IPSec router (secure Gateway gateway) in the field below to identify the remote IPSec router by its IP address or a Address domain name.
Page 97: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
Chapter 3 Wizard Setup Table 18 VPN Wizard: Network Setting LABEL DESCRIPTION Name Type up to 32 characters to identify this VPN network policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Network Policy Setting Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.
Page 98: Figure 32 Vpn Wizard: Ike Tunnel Setting
Chapter 3 Wizard Setup Figure 32 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 99: Vpn Wizard Ipsec Setting (Ike Phase 2)
Chapter 3 Wizard Setup Table 19 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Page 100: Vpn Wizard Status Summary
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 20 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
Page 101: Figure 34 Vpn Wizard: Vpn Status
Chapter 3 Wizard Setup Figure 34 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 21 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 102 Chapter 3 Wizard Setup Table 21 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A. Subnet Mask When the local network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 103: Vpn Wizard Setup Complete
Chapter 3 Wizard Setup 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 35 VPN Wizard Setup Complete ZyWALL 5/35/70 Series User’s Guide...
Page 104 Chapter 3 Wizard Setup ZyWALL 5/35/70 Series User’s Guide...
Page 105: Tutorial
H A P T E R Tutorial This chapter describes how to apply security settings to VPN traffic and how to set up a 3G WAN connection. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall, IDP, anti-virus, anti-spam and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
Page 106: Figure 36 Idp For From Vpn Traffic
Chapter 4 Tutorial Figure 36 IDP for From VPN Traffic Here is how you would configure this example. 1 Click SECURITY > IDP > General. 2 Select the To LAN column’s first check box (with the interface label) to select all of the To LAN packet directions.
Page 107: Idp For To Vpn Traffic Example
Chapter 4 Tutorial 4.1.2 IDP for To VPN Traffic Example You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL’s VPN tunnels.
Page 108: Firewall Rule For Vpn Example
Chapter 4 Tutorial Figure 39 IDP Configuration for To VPN Traffic 4.2 Firewall Rule for VPN Example The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets. Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A.
Page 109: Configuring The Vpn Rule
Chapter 4 Tutorial Figure 40 Firewall Rule for VPN 4.2.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
Page 110: Figure 42 Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy
Chapter 4 Tutorial Figure 42 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL 5/35/70 Series User’s Guide...
Page 111: Figure 43 Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example
Chapter 4 Tutorial Figure 43 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
Page 112: Configuring The Firewall Rules
Chapter 4 Tutorial Figure 44 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.2.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
Page 113: Figure 45 Security > Firewall > Rule Summary
Chapter 4 Tutorial 4.2.2.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 45 SECURITY >...
Page 114: Figure 46 Security > Firewall > Rule Summary > Edit: Allow
Chapter 4 Tutorial Figure 46 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 5/35/70 Series User’s Guide...
Page 115: Figure 47 Security > Firewall > Rule Summary: Allow
Chapter 4 Tutorial Figure 47 SECURITY > FIREWALL > Rule Summary: Allow 4.2.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
Page 116: How To Set Up A 3G Wan Connection
Chapter 4 Tutorial 4.3 How to Set up a 3G WAN Connection This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) for Internet access at the same time.
Page 117: Configuring Load Balancing
Chapter 4 Tutorial 4.3.2 Configuring Load Balancing In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) at the same time. You also balance the load between the two WAN interfaces using weighted round-robin method.
Page 118: Figure 51 Tutorial: Home
Chapter 4 Tutorial 2 In the network status table, make sure the status for WAN 1 and WAN 2 is not Down and there is an IP address. If the WAN 2 connection is not up, make sure you have entered the correct information in the WAN 2 screen and the signal strength to the service provider’s base station is not too low and can connect to a network.
Page 119: Registration
H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 120: Registration
The ID&P and anti-virus features use the same signature files on the ZyWALL to detect and scan for viruses. After the service is activated, the ZyWALL downloads the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com). You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service.
Page 121: Figure 52 Registration
Chapter 5 Registration Figure 52 REGISTRATION The following table describes the labels in this screen. Table 22 REGISTRATION LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Page 122: Service
Chapter 5 Registration Table 22 REGISTRATION LABEL DESCRIPTION IDP/AV 3-month Trial Select the check box to activate a trial. The trial period starts the day you activate the trial. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 123: Figure 54 Registration > Service
Chapter 5 Registration Figure 54 REGISTRATION > Service The following table describes the labels in this screen. Table 23 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 124 Chapter 5 Registration ZyWALL 5/35/70 Series User’s Guide...
Page 125: Network
Network LAN Screens (127) Bridge Screens (139) WAN Screens (145) DMZ Screens (179) Wireless LAN (189)
Page 127: Lan Screens
H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5 and ZyWALL 35. 6.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached.
Page 128: Private Ip Addresses
Chapter 6 LAN Screens Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 129: Dhcp
Chapter 6 LAN Screens 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Page 130: Wins
Chapter 6 LAN Screens 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 131: Figure 56 Network > Lan
Chapter 6 LAN Screens Figure 56 NETWORK > LAN The following table describes the labels in this screen. Table 24 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 132 Chapter 6 LAN Screens Table 24 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 133: Lan Static Dhcp
Chapter 6 LAN Screens Table 24 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN 2 and LAN and WAN2 from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.
Page 134: Lan Ip Alias
Chapter 6 LAN Screens Figure 57 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 25 NETWORK > LAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN.
Page 135: Figure 58 Physical Network & Partitioned Logical Networks
Chapter 6 LAN Screens The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 136: Lan Port Roles
Chapter 6 LAN Screens The following table describes the labels in this screen. Table 26 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Page 137: Figure 60 Network > Lan > Port Roles
Chapter 6 LAN Screens The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyWALL 5 or ZyWALL 35, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens.
Page 138 Chapter 6 LAN Screens ZyWALL 5/35/70 Series User’s Guide...
Page 139: Bridge Screens
H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
Page 140: Spanning Tree Protocol (Stp)
Chapter 7 Bridge Screens 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Page 141: Stp Port States
Chapter 7 Bridge Screens Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Page 142: Figure 63 Network > Bridge
Chapter 7 Bridge Screens Figure 63 NETWORK > Bridge The following table describes the labels in this screen. Table 30 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 143: Bridge Port Roles
Chapter 7 Bridge Screens Table 30 NETWORK > Bridge (continued) LABEL DESCRIPTION Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port.
Page 144: Figure 64 Network > Bridge > Port Roles
Chapter 7 Bridge Screens Figure 64 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 31 NETWORK > Bridge > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. Select a port’s DMZ radio button to use the port as part of the DMZ.
Page 145: Wan Screens
H A P T E R WAN Screens This chapter describes how to configure WAN settings. WAN 2 refers to either the physical WAN 2 port on the ZyWALL with multiple WAN ports or the 3G card on the supported ZyWALL in router mode. 8.1 WAN Overview •...
Page 146: Load Balancing Introduction
Chapter 8 WAN Screens The ZyWALL's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to Chapter 21 on page 393 for details. You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 27 on page 471).
Page 147: Weighted Round Robin
Chapter 8 WAN Screens Figure 66 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below.
Page 148: Spillover
Chapter 8 WAN Screens This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively.
Page 149: Tcp/Ip Priority (Metric)
Chapter 8 WAN Screens 8.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1"...
Page 150: Figure 69 Network > Wan (General)
Chapter 8 WAN Screens Figure 69 NETWORK > WAN (General) ZyWALL 5/35/70 Series User’s Guide...
Page 151: Table 34 Network > Wan (General)
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 34 NETWORK > WAN (General) LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Page 152 Chapter 8 WAN Screens Table 34 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity interface's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN interface's default gateway IP address.
Page 153: Configuring Load Balancing
Chapter 8 WAN Screens Table 34 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.7 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel.
Page 154: Weighted Round Robin
Chapter 8 WAN Screens Table 35 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Interface This field displays the name of the WAN interface (WAN 1 and WAN 2). Available This field is applicable when you select Outbound + Inbound or Inbound Only in Inbound the Load Balancing Index(es) field.
Page 155: Wan Ip Address Assignment
Chapter 8 WAN Screens Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN 1 is the primary WAN and WAN 2 is the secondary WAN. Figure 72 Load Balancing: Spillover The following table describes the related fields in this screen.
Page 156: Dns Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 157: Wan
Chapter 8 WAN Screens 8.11 WAN To change your ZyWALL's WAN ISP, IP and MAC settings, click NETWORK > WAN and then the WAN > WAN 1 or WAN 2 (on the ZyWALL 70 or ZyWALL 35). The screen differs by the encapsulation.
Page 158: Figure 73 Network > Wan > Wan (Ethernet Encapsulation)
Chapter 8 WAN Screens Figure 73 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 159 Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login. Login Server Type the domain name of the Telia login server, for example login1.telia.com.
Page 160: Pppoe Encapsulation
Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Page 161: Figure 74 Network > Wan > Wan (Pppoe Encapsulation)
Chapter 8 WAN Screens Figure 74 NETWORK > WAN > WAN (PPPoE Encapsulation) The following table describes the labels in this screen. Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE. Service Name Type the PPPoE service name provided to you by your ISP.
Page 162 Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 163: Pptp Encapsulation
Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Page 164: Figure 75 Network > Wan > Wan (Pptp Encapsulation)
Chapter 8 WAN Screens Figure 75 NETWORK > WAN > WAN (PPTP Encapsulation) The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Set the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time.
Page 165 Chapter 8 WAN Screens Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 166: Wan
Chapter 8 WAN Screens Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 167: Table 43 2G, 2.5G, 2.75G And 3G Of Wireless Technologies
Chapter 8 WAN Screens The 3G downstream data rate can be up to 900 Kbps and upstream data rate can be up to 384 Kbps when you use the Sierra AC850/860 3G card in the ZyWALL. The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, etc.
Page 168: Figure 76 Network > Wan > Wan 2 (3G Wan)
Chapter 8 WAN Screens The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. Figure 76 NETWORK > WAN > WAN 2 (3G WAN) The following table describes the labels in this screen. Table 44 NETWORK >...
Page 169 Chapter 8 WAN Screens Table 44 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION Retype to Type your password again to make sure that you have entered is correctly. Confirm PIN Code A PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card.
Page 170: Traffic Redirect
Chapter 8 WAN Screens 8.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. Figure 77 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
Page 171: Configuring Dial Backup
Chapter 8 WAN Screens For the ZyWALL 5, if the traffic redirect feature does not work after you configure the ZyWALL’s traffic redirect settings in the Traffic Redirect screen, you may need to turn on the WAN ping check by entering sys rn pingcheck in command interpreter.
Page 172: Figure 80 Network > Wan > Dial Backup
Chapter 8 WAN Screens Figure 80 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 46 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 173 Chapter 8 WAN Screens Table 46 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Use the drop-down list box to select an authentication protocol for outgoing calls. Type Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this...
Page 174 Chapter 8 WAN Screens Table 46 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 175: Advanced Modem Setup
Chapter 8 WAN Screens 8.16 Advanced Modem Setup 8.16.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
Page 176: Figure 81 Network > Wan > Dial Backup > Edit
Chapter 8 WAN Screens Figure 81 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. Table 47 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call.
Page 177 Chapter 8 WAN Screens Table 47 NETWORK > WAN > Dial Backup > Edit (continued) LABEL DESCRIPTION Retry Interval Type a number of seconds for the ZyWALL to wait before trying another call after a (sec) call has failed. This applies before a phone number is blacklisted. Drop Timeout Type the number of seconds for the ZyWALL to wait before dropping the DTR (sec)
Page 178 Chapter 8 WAN Screens ZyWALL 5/35/70 Series User’s Guide...
Page 179: Dmz Screens
H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 180: Figure 82 Network > Dmz
Chapter 9 DMZ Screens Figure 82 NETWORK > DMZ The following table describes the labels in this screen. Table 48 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 181 Chapter 9 DMZ Screens Table 48 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 182: Dmz Static Dhcp
Chapter 9 DMZ Screens Table 48 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the DMZ to WAN 2 and DMZ and WAN 2 from WAN 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ.
Page 183: Dmz Ip Alias
Chapter 9 DMZ Screens Figure 83 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 49 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
Page 184: Figure 84 Network > Dmz > Ip Alias
Chapter 9 DMZ Screens The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 185: Dmz Public Ip Address Example
Chapter 9 DMZ Screens Table 50 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Page 186: Dmz Private And Public Ip Address Example
Chapter 9 DMZ Screens Figure 85 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
Page 187: Dmz Port Roles
Chapter 9 DMZ Screens Figure 86 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
Page 188: Figure 87 Network > Dmz > Port Roles
Chapter 9 DMZ Screens Figure 87 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 51 NETWORK > DMZ > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Page 189: Wireless Lan
Do one of the following to add wireless functionality to the ZyWALL. Turn the ZyWALL off before you install or remove the wireless LAN card. See the product specifications appendix for a table of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card.
Page 190: Figure 88 Network > Wlan
Chapter 10 Wireless LAN • Insert a compatible wireless LAN card and enable the card in the Wireless Card screen (see Figure 98 on page 205). • Use the Port Roles screen (see Figure 92 on page 197) to set a port to be part of the WLAN and connect an access point (AP) to the WLAN interface to extend the ZyWALL’s wireless LAN coverage.
Page 191 Chapter 10 Wireless LAN Table 52 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.
Page 192: Wlan Static Dhcp
Chapter 10 Wireless LAN Table 52 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN 1 and WLAN and WAN from WAN 1 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN 1 and from WAN 1 to the WLAN.
Page 193: Wlan Ip Alias
Chapter 10 Wireless LAN Figure 89 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 53 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN.
Page 194: Figure 90 Network > Wlan > Ip Alias
Chapter 10 Wireless LAN The ZyWALL supports three logical WLAN interfaces via its single physical WLAN Ethernet interface. The ZyWALL itself is the gateway for each of the logical WLAN networks. When you use IP alias, you can also configure firewall rules to control access between the WLAN's logical networks (subnets).
Page 195: Wlan Port Roles
Chapter 10 Wireless LAN Table 54 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Page 196: Figure 91 Wlan Port Role Example
Chapter 10 Wireless LAN Figure 91 WLAN Port Role Example Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Page 197: Wireless Security
Chapter 10 Wireless LAN Figure 92 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. Table 55 NETWORK > WLAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
Page 198: Encryption
Chapter 10 Wireless LAN Figure 94 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator.
Page 199: Hide Zywall Identity
Chapter 10 Wireless LAN 10.6.4 Hide ZyWALL Identity If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyWALL may be inconvenience for some valid WLAN clients.
Page 200: Introduction To Radius
Chapter 10 Wireless LAN 10.9.1 Introduction to RADIUS A RADIUS (Remote Authentication Dial In User Service) server enables user authentication, authorization and accounting. RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server.
Page 201: Dynamic Wep Key Exchange
Chapter 10 Wireless LAN Your ZyWALL supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database. The following figure shows an overview of authentication when you specify a RADIUS server on your access point. Figure 95 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works.
Page 202: Introduction To Wpa
Chapter 10 Wireless LAN 10.11 Introduction to WPA Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption. 10.11.1 User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database.
Page 203: Wpa-Psk Application Example
Chapter 10 Wireless LAN 10.12 WPA-PSK Application Example A WPA-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).
Page 204: Wireless Client Wpa Supplicants
10.16 Wireless Card Turn the ZyWALL off before you install or remove the wireless LAN card. See the product specifications appendix for a table of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card.
Page 205: Figure 98 Network > Wireless Card: No Security
802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN. Wireless Card This field displays whether or not a compatible ZyXEL wireless LAN card is installed. ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a wireless station is associated.
Page 206 Otherwise, select the security you need and see the following sections for more information. Note: The installed ZyXEL WLAN card may not support all of the WLAN security features you can configure in the ZyWALL. Please see the product specifications appendix for a table of compatible ZyXEL WLAN cards and the WLAN security features each card supports.
Page 207: Static Wep
Chapter 10 Wireless LAN 10.16.1 Static WEP Static WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be used at any one time.
Page 208: Wpa-Psk
Chapter 10 Wireless LAN 10.16.2 WPA-PSK Click NETWORK > WIRELESS CARD to display the Wireless Card screen. Select WPA- PSK from the Security list. Figure 100 NETWORK > WIRELESS CARD: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box.
Page 209: Wpa
Chapter 10 Wireless LAN Table 59 NETWORK > WIRELESS CARD: WPA-PSK (continued) LABEL DESCRIPTION WPA Group Key The WPA Group Key Update Timer is the rate at which the AP (if using WPA- Update Timer PSK key management) or RADIUS server (if using WPA key management) sends (Seconds) a new group key out to all clients.
Page 210: Ieee 802.1X + Dynamic Wep
Chapter 10 Wireless LAN Table 60 NETWORK > WIRELESS CARD: WPA (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless (Seconds) network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Page 211: Ieee 802.1X + Static Wep
Chapter 10 Wireless LAN The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 61 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select 802.1x + Dynamic WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
Page 212: Figure 103 Network > Wireless Card: 802.1X + Static Wep
Chapter 10 Wireless LAN Figure 103 NETWORK > WIRELESS CARD: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box. Table 62 NETWORK > WIRELESS CARD: 802.1x + Static WEP LABEL DESCRIPTION Security...
Page 213: Ieee 802.1X + No Wep
Chapter 10 Wireless LAN Table 62 NETWORK > WIRELESS CARD: 802.1x + Static WEP (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless network (Seconds) after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Page 214: No Access 802.1X + Static Wep
Chapter 10 Wireless LAN The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 63 NETWORK > WIRELESS CARD: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthenticatio Specify how often wireless stations have to resend user names and passwords in n Timer...
Page 215: No Access 802.1X + No Wep
Chapter 10 Wireless LAN Figure 105 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 64 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP LABEL DESCRIPTION Security...
Page 216: Mac Filter
Chapter 10 Wireless LAN 10.17 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 217 Chapter 10 Wireless LAN Table 65 NETWORK > WIRELESS CARD: MAC Address Filter LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 5/35/70 Series User’s Guide...
Page 218 Chapter 10 Wireless LAN ZyWALL 5/35/70 Series User’s Guide...
Page 219: Security
Security Firewall (221) Intrusion Detection and Prevention (IDP) (251) Configuring IDP (255) Anti-Virus (271) Anti-Spam (283) Content Filtering Screens (297) Content Filtering Reports (315) IPSec VPN (323) Certificates (361) Authentication Server (387)
Page 221: Firewall
H A P T E R Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.
Page 222: Packet Direction Matrix
Chapter 11 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Page 223: Packet Direction Examples
Chapter 11 Firewall To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown. Figure 109 Default Block Traffic From WAN1 to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 224: To Vpn Packet Direction
Chapter 11 Firewall By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: •...
Page 225: Figure 110 From Lan To Vpn Example
Chapter 11 Firewall For example, by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL’s VPN tunnels.
Page 226: From Vpn Packet Direction
Chapter 11 Firewall 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface.
Page 227: From Vpn To Vpn Packet Direction
Chapter 11 Firewall Figure 113 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 18.16 on page 356 for details).
Page 228: Figure 114 From Vpn To Vpn Example
Chapter 11 Firewall Figure 114 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 115 Block VPN to VPN Traffic by Default Example ZyWALL 5/35/70 Series User’s Guide...
Page 229: Security Considerations
Chapter 11 Firewall 11.4 Security Considerations Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
Page 230: Figure 117 Limited Lan To Wan Irc Traffic Example
Chapter 11 Firewall Your firewall would have the following configuration. Table 66 Blocking All LAN to WAN IRC Traffic Example DESTINATIO SOURCE SCHEDULE SERVICE ACTION Drop Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
Page 231: Asymmetrical Routes
Chapter 11 Firewall • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN.
Page 232: Firewall Default Rule (Router Mode)
Chapter 11 Firewall Figure 118 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 119 SECURITY >...
Page 233: Table 68 Security > Firewall > Default Rule (Router Mode)
Chapter 11 Firewall The following table describes the labels in this screen. Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes.
Page 234: Firewall Default Rule (Bridge Mode)
Chapter 11 Firewall Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Select the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules.
Page 235: Table 69 Security > Firewall > Default Rule (Bridge Mode)
Chapter 11 Firewall The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes.
Page 236: Firewall Rule Summary
Chapter 11 Firewall 11.9 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. The ordering of your rules is very important as rules are applied in the order that they are listed.
Page 237: Firewall Edit Rule
Chapter 11 Firewall Table 70 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists.
Page 238: Figure 122 Security > Firewall > Rule Summary > Edit
Chapter 11 Firewall Figure 122 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 5/35/70 Series User’s Guide...
Page 239: Table 71 Security > Firewall > Rule Summary > Edit
Chapter 11 Firewall The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
Page 240: Anti-Probing
Chapter 11 Firewall Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 241: Firewall Thresholds
Chapter 11 Firewall The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface.
Page 242: Threshold Values
Chapter 11 Firewall 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
Page 243: Table 73 Security > Firewall > Threshold
Chapter 11 Firewall The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds.
Page 244: Service
Chapter 11 Firewall 11.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. Section 11.1 on page 221 for more information about the firewall.
Page 245: Firewall Edit Custom Service
Chapter 11 Firewall Table 74 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. Attribute This is the IP port number or ICMP type and code that defines the service. Modify Click the edit icon to go to the screen where you can edit the service.
Page 246: My Service Firewall Rule Example
Chapter 11 Firewall The following table describes the labels in this screen. Table 75 SECURITY > FIREWALL > Service > Add LABEL DESCRIPTION Service Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the “(“ character.
Page 247: Figure 129 My Service Firewall Rule Example: Edit Custom Service
Chapter 11 Firewall Figure 129 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 248: Figure 131 My Service Firewall Rule Example: Rule Edit
Chapter 11 Firewall Figure 131 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Page 249: Figure 132 My Service Firewall Rule Example: Rule Configuration
Chapter 11 Firewall Figure 132 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 5/35/70 Series User’s Guide...
Page 250: Figure 133 My Service Firewall Rule Example: Rule Summary
Chapter 11 Firewall Figure 133 My Service Firewall Rule Example: Rule Summary ZyWALL 5/35/70 Series User’s Guide...
Page 251: Intrusion Detection And Prevention (Idp)
Chapter 12 Intrusion Detection and Prevention (IDP) H A P T E R Intrusion Detection and Prevention (IDP) This chapter introduces some background information on IDP. Skip to the next chapter to see how to configure IDP on your ZyWALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 252: Firewalls And Intrusions
Chapter 12 Intrusion Detection and Prevention (IDP) 12.1.1 Firewalls and Intrusions Firewalls are designed to block clearly suspicious traffic and forward other traffic through. Many exploits take advantage of weaknesses in the protocols that are allowed through the firewall, so that once an inside server has been compromised it can be used as a backdoor to launch attacks on other servers.
Page 253: Example Intrusions
Chapter 12 Intrusion Detection and Prevention (IDP) 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
Page 254: Zywall Idp
Section 13.2 on page 256 for more information on how to apply IDP to ZyWALL interfaces. IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are vital as new intrusions evolve. ZyWALL 5/35/70 Series User’s Guide...
Page 255: Configuring Idp
H A P T E R Configuring IDP This chapter shows you how to configure IDP on the ZyWALL. 13.1 Overview To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details. Turn the ZyWALL off before you install or remove the ZyWALL Turbo card.
Page 256: General Setup
Chapter 13 Configuring IDP Figure 135 Applying IDP to Interfaces 13.2 General Setup Use this screen to enable IDP on the ZyWALL and choose what traffic flows the ZyWALL checks for intrusions. Click SECURITY > IDP from the navigation panel. General is the first screen as shown in the following figure.
Page 257: Table 76 Security > Idp > General Setup
Chapter 13 Configuring IDP The following table describes the labels in this screen. Table 76 SECURITY > IDP > General Setup LABEL DESCRIPTION General Setup Enable Intrusion Select this check box to enable IDP on the ZyWALL. When this check box is Detection and cleared the ZyWALL is in IDP “bypass”...
Page 258: Idp Signatures
Chapter 13 Configuring IDP 13.3 IDP Signatures The rules that define how to identify and respond to intrusions are called “signatures”. Click SECURITY > IDP > Signatures to see the ZyWALL’s signatures. 13.3.1 Attack Types Click SECURITY > IDP > Signature. The Attack Type list box displays all intrusion types supported by the ZyWALL.
Page 259: Intrusion Severity
Chapter 13 Configuring IDP Table 77 SECURITY > IDP > Signature: Attack Types (continued) TYPE DESCRIPTION Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server.
Page 260: Configuring Idp Signatures
Chapter 13 Configuring IDP Figure 138 SECURITY > IDP > Signature: Actions The following table describes signature actions. Table 79 SECURITY > IDP > Signature: Actions ACTION DESCRIPTION No Action The intrusion is detected but no action is taken. Drop Packet The packet is silently discarded.
Page 261: Table 80 Security > Idp > Signature: Group View
Chapter 13 Configuring IDP The following table describes the labels in this screen. Table 80 SECURITY > IDP > Signature: Group View LABEL DESCRIPTION Signature Groups Switch to Click this hyperlink to go to a screen where you can search for signatures based on query view criteria other than attack type.
Page 262: Query View
Chapter 13 Configuring IDP Table 80 SECURITY > IDP > Signature: Group View (continued) LABEL DESCRIPTION Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 13.3.5 Query View Click IDP >...
Page 263 Chapter 13 Configuring IDP Table 81 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s) (see Table 78 on page 259). Type Search for signatures by attack type(s) (see Table 77 on page 258).
Page 264 Chapter 13 Configuring IDP Table 81 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Alert You can only edit the Alert check box when the corresponding Log check box is selected. Select this check box to have an e-mail sent when a match is found for a signature.
Page 265: Figure 141 Security > Idp > Signature: Query By Partial Name
Chapter 13 Configuring IDP Figure 141 SECURITY > IDP > Signature: Query by Partial Name Figure 142 SECURITY > IDP > Signature: Query by Complete ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes.
Page 266: Update
Figure 143 Signature Query by Attribute. 13.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Page 267: Configuring Idp Update
Chapter 13 Configuring IDP Click the intrusion ID hyperlink to go directly to information on that signature or enter https:// mysecurity.zyxel.com/mysecurity/ as the URL in your web browser. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone.
Page 268: Table 82 Security > Idp > Update
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Page 269: Backup And Restore
Chapter 13 Configuring IDP 13.5 Backup and Restore You can change the pre-defined settings of individual Active, Log, Alert and/or Action signatures. Figure 145 SECURITY > IDP > Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup and then choose a location and filename for the IDP configuration set.
Page 270 Chapter 13 Configuring IDP ZyWALL 5/35/70 Series User’s Guide...
Page 271: Anti-Virus
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 14.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 272: Types Of Anti-Virus Scanner
Chapter 14 Anti-Virus 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 14.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based.
Page 273: Notes About The Zywall Anti-Virus
Chapter 14 Anti-Virus Figure 146 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
Page 274: General Anti-Virus Setup
Chapter 14 Anti-Virus The ZyWALL Turbo Card does not have a MAC address. The following lists important notes about the anti-virus scanner: 1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses. 2 When a virus is detected, an alert message is displayed in Microsoft Windows computers.
Page 275: Figure 147 Security > Anti-Virus > General
Chapter 14 Anti-Virus Figure 147 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. Table 84 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti-Virus Select this check box to check traffic for viruses. The anti-virus scanner works on the following.
Page 276: Signature Searching
Chapter 14 Anti-Virus Table 84 SECURITY > ANTI-VIRUS > General (continued) LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Page 277: Figure 148 Security > Anti-Virus > Signature: Query View
Chapter 14 Anti-Virus Figure 148 SECURITY > ANTI-VIRUS > Signature: Query View The following table describes the labels in this screen. Table 85 SECURITY > ANTI-VIRUS > Signature: Query View LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Signature Search Select this radio button if you would like to search the signatures by name or ID.
Page 278: Signature Search Example
Chapter 14 Anti-Virus Table 85 SECURITY > ANTI-VIRUS > Signature: Query View (continued) LABEL DESCRIPTION Configure The signature search results display in a table showing the SID, Name, Severity, Signatures Attack Type, Platform, Service, Activation, Log, and Action criteria as selected in the search.
Page 279: Signature Update
Figure 150 Query Example Search Results 14.5 Signature Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Page 280: Mysecurityzone
Chapter 14 Anti-Virus 14.5.1 mySecurityZone mySecurityZone is a web portal that provides all security-related information such as intrusion and anti-virus information for ZyXEL security products. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone.
Page 281: Table 86 Security > Anti-Virus > Update
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Page 282: Backup And Restore
Chapter 14 Anti-Virus 14.6 Backup and Restore Click ANTI-VIRUS > Backup & Restore. The screen displays as shown next. You can change the pre-defined Active, Log, Alert, Send Windows Message and/or Destroy File settings of individual signatures. Figure 152 SECURITY > ANTI-VIRUS > Backup and Restore Use the Backup &...
Page 283: Anti-Spam
H A P T E R Anti-Spam This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-Spam Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam. The ZyWALL can use an anti-spam external database to help identify spam.
Page 284 Chapter 15 Anti-Spam 15.1.1.1 SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs.
Page 285: Spam Threshold
Chapter 15 Anti-Spam Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks. The SpamTricks engine also checks for “phishing” (see Section 15.1.3 on page 285 for more on phishing). 15.1.2 Spam Threshold You can configure the threshold for what spam score is classified as spam.
Page 286: Whitelist
Chapter 15 Anti-Spam 15.1.4 Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate (see Section 15.1.7 on page 286 for more on MIME headers).
Page 287: Anti-Spam General Screen
Chapter 15 Anti-Spam In an MIME header, the part that comes before the colon (:) is the header. The part that comes after the colon is the value. Spam often has blank header values or comments in them that are part of an attempt to bypass spam filters.
Page 288 Chapter 15 Anti-Spam Table 87 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Page 289: Anti-Spam External Db Screen
Chapter 15 Anti-Spam Table 87 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION Forward SMTP & POP3 Select this radio button to have the ZyWALL forward spam e-mail with the mail with tag in mail tag that you define. subject Even if you plan to use the discard option, you may want to use this initially as a test to check how accurate your anti-spam settings are.
Page 290: Figure 155 Security > Anti-Spam > External Db
Chapter 15 Anti-Spam Figure 155 SECURITY > ANTI-SPAM > External DB The following table describes the labels in this screen. Table 88 SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Enable the anti-spam external database feature to have the ZyWALL Database calculate a digest of an e-mail and send it to an anti-spam external database.
Page 291: Anti-Spam Lists Screen
Chapter 15 Anti-Spam Table 88 SECURITY > ANTI-SPAM > External DB (continued) LABEL DESCRIPTION Action for No Spam Use this field to configure what the ZyWALL does if it does not receive a valid Score response from the anti-spam external database. If the ZyWALL does not receive a response within seven seconds, it sends the e-mail digest a second time.
Page 292: Figure 156 Security > Anti-Spam > Lists
Chapter 15 Anti-Spam Figure 156 SECURITY > ANTI-SPAM > Lists The following table describes the labels in this screen. Table 89 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist This bar displays the percentage of the ZyWALL’s anti-spam whitelist and Storage Space in blacklist storage space that is currently in use.
Page 293: Anti-Spam Lists Edit Screen
Chapter 15 Anti-Spam Table 89 SECURITY > ANTI-SPAM > Lists (continued) LABEL DESCRIPTION Use Blacklist Select this check box to have the ZyWALL treat e-mail that matches a blacklist entry as spam. Active This field shows whether or not an entry is turned on. Type This field displays whether the entry is based on the e-mail’s source IP address, source e-mail address, an MIME header or the e-mail’s subject.
Page 294: Table 90 Security > Anti-Spam > Lists > Edit
Chapter 15 Anti-Spam The following table describes the labels in this screen. Table 90 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
Page 295 Chapter 15 Anti-Spam Table 90 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Header This field displays when you select the MIME Header type. Type the header part of an MIME header (up to 63 ASCII characters). In an MIME header, the header is the part that comes before the colon (:). For example, if you want the whitelist or blacklist entry to check for the MIME header “X-MSMail-Priority: Normal”, enter “X-MSMail-Priority”...
Page 296 Chapter 15 Anti-Spam ZyWALL 5/35/70 Series User’s Guide...
Page 297: Content Filtering Screens
H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 16.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following: 16.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
Page 298: Figure 158 Security > Content Filter > General
Chapter 16 Content Filtering Screens Figure 158 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Page 299 Chapter 16 Content Filtering Screens Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Block ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
Page 300: Content Filtering With An External Database
Chapter 16 Content Filtering Screens Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 301 Chapter 16 Content Filtering Screens Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it. Use the REGISTRATION screens (see Chapter 5 on page 119) to create a myZyXEL.com account,...
Page 302: Figure 160 Security > Content Filter > Categories
Chapter 16 Content Filtering Screens Figure 160 SECURITY > CONTENT FILTER > Categories The following table describes the labels in this screen. Table 92 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 303 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 304 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Nudity Selecting this category excludes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 305 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Business/Economy Selecting this category excludes pages devoted to business firms, business information, economics, marketing, business management and entrepreneurship. This does not include pages that perform services that are defined in another category (such as Information Technology companies, or companies that sell travel services).
Page 306 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Health Selecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support organizations dedicated to a disease or condition.
Page 307 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Email Selecting this category excludes pages offering web-based email services, such as online email reading, e-cards, and mailing list services. Blogs/Newsgroups Selecting this category excludes pages that offer access to Usenet news groups or other messaging or bulletin board systems.
Page 308 Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Page 309: Content Filter Customization
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Content Filter Service This read-only field displays the status of your category-based content Status filtering (using an external database) service subscription. License Inactive displays if you have not registered and activated the category-based content filtering service.
Page 310: Figure 161 Security > Content Filter > Customization
Chapter 16 Content Filtering Screens Figure 161 SECURITY > CONTENT FILTER > Customization The following table describes the labels in this screen. Table 93 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden customization web sites.
Page 311: Customizing Keyword Blocking Url Checking
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Page 312: Domain Name Or Ip Address Url Checking
16.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the...
Page 313: Figure 162 Security > Content Filter > Cache
Chapter 16 Content Filtering Screens Figure 162 SECURITY > CONTENT FILTER > Cache The following table describes the labels in this screen. Table 94 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
Page 314 Chapter 16 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide...
Page 315: Content Filtering Reports
H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 119 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Page 316: Figure 163 Myzyxel.com: Login
Figure 163 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see...
Page 317: Figure 165 Myzyxel.com: Service Management
Chapter 17 Content Filtering Reports Figure 165 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 165 on page 317).
Page 318: Figure 167 Content Filtering Reports Main Screen
Chapter 17 Content Filtering Reports Figure 167 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 168 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 319: Figure 169 Global Report Screen Example
Chapter 17 Content Filtering Reports Figure 169 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 5/35/70 Series User’s Guide...
Page 320: Web Site Submission
Chapter 17 Content Filtering Reports Figure 170 Requested URLs Example 17.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 321: Figure 171 Web Page Review Process Screen
Chapter 17 Content Filtering Reports Figure 171 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 5/35/70 Series User’s Guide...
Page 322 Chapter 17 Content Filtering Reports ZyWALL 5/35/70 Series User’s Guide...
Page 323: Ipsec Vpn
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.
Page 324: Ike Sa Overview
Chapter 18 IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Page 325: Vpn Rules (Ike)
Chapter 18 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
Page 326: Figure 176 Security > Vpn > Vpn Rules (Ike)
Chapter 18 IPSec VPN Figure 176 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 95 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Page 327: Ike Sa Setup
Chapter 18 IPSec VPN Table 95 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Click this icon to display a screen in which you can associate a network policy to a gateway policy. Click this icon to display a screen in which you can change the settings of a gateway or network policy.
Page 328: Figure 178 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
Chapter 18 IPSec VPN See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 18.3.1.1 on page 328 for more information about DH key groups. 18.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
Page 329: Table 96 Vpn Example: Matching Id Type And Content
Chapter 18 IPSec VPN Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.
Page 330 Chapter 18 IPSec VPN • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content.
Page 331: Additional Ipsec Vpn Topics
Chapter 18 IPSec VPN Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters).
Page 332: Ipsec High Availability
Chapter 18 IPSec VPN Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic.
Page 333: Encryption And Authentication Algorithms
Chapter 18 IPSec VPN • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) •...
Page 334: Figure 182 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 18 IPSec VPN Figure 182 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ZyWALL 5/35/70 Series User’s Guide...
Page 335: Table 98 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 336 Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote Primary Remote gateway if the connection becomes available again. Gateway when possible Fall Back Check...
Page 337 Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 338 Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 20 on page...
Page 339: Ipsec Sa Overview
Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Associated The following table shows the policy(ies) you configure for this rule. Network Policies To add a VPN policy, click the add network policy ( ) icon in the VPN Rules (IKE) screen (see Figure 176 on page...
Page 340: Encapsulation
Chapter 18 IPSec VPN Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 18.6.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Page 341: Vpn Rules (Ike): Network Policy Edit
Chapter 18 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 342: Figure 184 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 18 IPSec VPN Figure 184 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL 5/35/70 Series User’s Guide...
Page 343: Table 99 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 344 Chapter 18 IPSec VPN Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 345: Vpn Rules (Ike): Network Policy Move
Chapter 18 IPSec VPN Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
Page 346: Ipsec Sa Using Manual Keys
Chapter 18 IPSec VPN Figure 185 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy The following table describes the labels in this screen. Table 100 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy.
Page 347: Ipsec Sa Proposal Using Manual Keys
Chapter 18 IPSec VPN 18.9.1 IPSec SA Proposal Using Manual Keys In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use.
Page 348: Vpn Rules (Manual): Edit
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 101 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not.
Page 349: Figure 187 Security > Vpn > Vpn Rules (Manual) > Edit
Chapter 18 IPSec VPN Figure 187 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen. Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy.
Page 350 Chapter 18 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Address Type Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses.
Page 351: Vpn Sa Monitor
Chapter 18 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Encapsulation Select Tunnel mode or Transport mode from the drop-down list box. Mode Active Protocol Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH.
Page 352: Vpn Global Setting
Chapter 18 IPSec VPN Figure 188 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 103 SECURITY > VPN > SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 353: Table 104 Security > Vpn > Global Setting
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 104 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
Page 354: Telecommuter Vpn/Ipsec Examples
Chapter 18 IPSec VPN 18.14 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address. 18.14.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a...
Page 355: Figure 191 Telecommuters Using Unique Vpn Rules Example
Chapter 18 IPSec VPN With aggressive negotiation mode (see Section 18.3.1.4 on page 330), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters.
Page 356: Vpn And Remote Management
Chapter 18 IPSec VPN Table 106 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Remote Gateway Address: telecommuterb.dydns.org Remote Address 192.168.3.2 Telecommuter C (telecommuterc.dydns.org) Headquarters ZyWALL Rule 3: Local ID Type: E-mail...
Page 357: Hub-And-Spoke Vpn Example
Chapter 18 IPSec VPN Figure 193 on page 357 shows some example network topologies. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and- spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A).
Page 358: Hub-And-Spoke Example Vpn Rule Addresses
Chapter 18 IPSec VPN Figure 194 Hub-and-spoke VPN Example 18.16.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 •...
Page 359 Chapter 18 IPSec VPN The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Page 360 Chapter 18 IPSec VPN ZyWALL 5/35/70 Series User’s Guide...
Page 361: Certificates
H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 19.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 362: Advantages Of Certificates
Chapter 19 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 363: Configuration Summary
Chapter 19 Certificates Figure 196 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 364: My Certificates
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
Page 365 Chapter 19 Certificates Table 107 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
Page 366: My Certificate Details
Chapter 19 Certificates 19.6 My Certificate Details Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 198 on page 364). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Page 367: Table 108 Security > Certificates > My Certificates > Details
Chapter 19 Certificates The following table describes the labels in this screen. Table 108 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 368: My Certificate Export
Chapter 19 Certificates Table 108 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) Name or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 369: My Certificate Import
Chapter 19 Certificates Figure 200 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 109 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in Binary X.509 is an ITU-T recommendation that defines the formats for X.509 binary X.509 format.
Page 370: Certificate File Formats
Chapter 19 Certificates You must remove any spaces from the certificate’s filename before you can import it. 19.8.1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
Page 371: Figure 201 Security > Certificates > My Certificates > Import
Chapter 19 Certificates Figure 201 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 110 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 372: My Certificate Create
Chapter 19 Certificates 19.9 My Certificate Create Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 203 SECURITY >...
Page 373 Chapter 19 Certificates Table 112 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 374: Trusted Cas
Chapter 19 Certificates Table 112 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Type the key that the certification authority gave you. Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request.
Page 375: Trusted Ca Details
Chapter 19 Certificates The following table describes the labels in this screen. Table 113 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 376: Figure 205 Security > Certificates > Trusted Cas > Details
Chapter 19 Certificates Figure 205 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 377 Chapter 19 Certificates Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 378: Trusted Ca Import
Chapter 19 Certificates Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 379: Trusted Remote Hosts
Chapter 19 Certificates Figure 206 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 115 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 380: Figure 207 Security > Certificates > Trusted Remote Hosts
Chapter 19 Certificates Figure 207 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 116 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 381: Trusted Remote Hosts Import
Chapter 19 Certificates 19.14 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen.
Page 382: Trusted Remote Host Certificate Details
Chapter 19 Certificates 19.15 Trusted Remote Host Certificate Details Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Page 383: Table 118 Security > Certificates > Trusted Remote Hosts > Details
Chapter 19 Certificates The following table describes the labels in this screen. Table 118 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 384: Directory Servers
Chapter 19 Certificates Table 118 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates.
Page 385: Directory Server Add Or Edit
Chapter 19 Certificates The following table describes the labels in this screen. Table 119 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 386: Table 120 Security > Certificates > Directory Server > Add
Chapter 19 Certificates The following table describes the labels in this screen. Table 120 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Page 387: Authentication Server
H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 20.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 388: Figure 212 Security > Auth Server > Local User Database
Chapter 20 Authentication Server Figure 212 SECURITY > AUTH SERVER > Local User Database ZyWALL 5/35/70 Series User’s Guide...
Page 389: Radius
Chapter 20 Authentication Server The following table describes the labels in this screen. Table 121 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 390 Chapter 20 Authentication Server Table 122 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.
Page 391: Advanced
Advanced Network Address Translation (NAT) (393) Static Route (411) Policy Route (415) Bandwidth Management (421) DNS (437) Remote Management (449) UPnP (471) ALG Screen (481)
Page 393: Network Address Translation (Nat)
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 21.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 394: What Nat Does
Chapter 21 Network Address Translation (NAT) NAT never changes the IP address (either local or global) of an outside host. 21.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 395: Nat Application
Chapter 21 Network Address Translation (NAT) Figure 214 How NAT Works 21.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks.
Page 396: Port Restricted Cone Nat
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Page 397: Using Nat
Chapter 21 Network Address Translation (NAT) • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 398: Nat Overview Screen
Chapter 21 Network Address Translation (NAT) Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ.
Page 399: Nat Address Mapping
Chapter 21 Network Address Translation (NAT) Table 125 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION Max. Use this field to set the highest number of NAT sessions that the ZyWALL will permit Concurrent a host to have at one time. Sessions Per Host WAN Operation...
Page 400: What Nat Does
Chapter 21 Network Address Translation (NAT) 21.4.1 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 401: Nat Address Mapping Edit
One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 402: Port Forwarding
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature. 3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Page 403: Default Server Ip Address
Chapter 21 Network Address Translation (NAT) You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.
Page 404: Configuring Servers Behind Port Forwarding (Example)
Chapter 21 Network Address Translation (NAT) 21.5.3 Configuring Servers Behind Port Forwarding (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Page 405: Port Forwarding Screen
Chapter 21 Network Address Translation (NAT) Figure 221 Port Translation Example 21.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 406: Figure 222 Advanced > Nat > Port Forwarding
Chapter 21 Network Address Translation (NAT) Figure 222 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 129 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Page 407: Port Triggering
Chapter 21 Network Address Translation (NAT) Table 129 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 408: Figure 224 Advanced > Nat > Port Triggering
Chapter 21 Network Address Translation (NAT) 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Click ADVANCED >...
Page 409 Chapter 21 Network Address Translation (NAT) Table 130 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION End Port Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 410 Chapter 21 Network Address Translation (NAT) ZyWALL 5/35/70 Series User’s Guide...
Page 411: Static Route
H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 22.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
Page 412: Figure 226 Advanced > Static Route > Ip Static Route
Chapter 22 Static Route Figure 226 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 131 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
Page 413: Ip Static Route Edit
Chapter 22 Static Route Table 131 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL’s interface. The gateway helps forward packets to their destinations.
Page 414 Chapter 22 Static Route Table 132 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts.
Page 415: Policy Route
H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. 23.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 416: Ip Routing Policy Setup
Chapter 23 Policy Route IPPR follows the existing packet filtering facility of RAS in style and in implementation. 23.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown). Figure 228 ADVANCED >...
Page 417: Policy Route Edit
Chapter 23 Policy Route The following table describes the labels in this screen. Table 133 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source This is the source IP address range and/or port number range.
Page 418: Figure 229 Edit Ip Policy Route
Chapter 23 Policy Route Figure 229 Edit IP Policy Route The following table describes the labels in this screen. Table 134 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 419 Chapter 23 Policy Route Table 134 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom.
Page 420 Chapter 23 Policy Route Table 134 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination.
Page 421: Bandwidth Management
H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 24.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Page 422: Proportional Bandwidth Allocation
Chapter 24 Bandwidth Management 24.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 24.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 423: Scheduler
Chapter 24 Bandwidth Management Table 135 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps 24.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
Page 424: Maximize Bandwidth Usage Example
Chapter 24 Bandwidth Management 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 24.8 on page 425). 24.7.5 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
Page 425: Bandwidth Borrowing
Chapter 24 Bandwidth Management 24.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 138 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps...
Page 426: Maximize Bandwidth Usage With Bandwidth Borrowing
Chapter 24 Bandwidth Management Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL. Table 139 Bandwidth Borrowing Example BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS Root Class: Administration: Borrowing Enabled Sales: Borrowing Disabled Sales USA: Borrowing Bill: Borrowing Enabled...
Page 427: Over Allotment Of Bandwidth
Chapter 24 Bandwidth Management 4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the classes. 24.10 Over Allotment of Bandwidth It is possible to set the bandwidth management speed for an interface higher than the interface’s actual transmission speed.
Page 428: Figure 231 Advanced > Bw Mgmt > Summary
Chapter 24 Bandwidth Management Figure 231 ADVANCED > BW MGMT > Summary The following table describes the labels in this screen. Table 141 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Page 429: Configuring Class Setup
Chapter 24 Bandwidth Management Table 141 ADVANCED > BW MGMT > Summary (continued) LABEL DESCRIPTION Maximize Select this check box to have the ZyWALL divide up all of the interface’s unallocated Bandwidth and/or unused bandwidth among the bandwidth classes that require bandwidth. Do Usage not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class (see...
Page 430: Bandwidth Manager Class Configuration
Chapter 24 Bandwidth Management The following table describes the labels in this screen. Table 142 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming. So, in order to limit the download bandwidth of the LAN users, set the bandwidth management class on the LAN.
Page 431: Figure 233 Advanced > Bw Mgmt > Class Setup > Add Sub-Class
Chapter 24 Bandwidth Management Figure 233 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 432 Chapter 24 Bandwidth Management Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 433: Bandwidth Management Statistics
Chapter 24 Bandwidth Management Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source Address Type Do you want your rule to apply to packets coming from a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet? Select Single Address, Range Address or Subnet Address.
Page 434: Bandwidth Manager Monitor
Chapter 24 Bandwidth Management Figure 234 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. Table 145 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Page 435: Figure 235 Advanced > Bw Mgmt > Monitor
Chapter 24 Bandwidth Management Figure 235 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Table 146 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
Page 436 Chapter 24 Bandwidth Management ZyWALL 5/35/70 Series User’s Guide...
Page 437: Dns
H A P T E R This chapter shows you how to configure the DNS screens. 25.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 438: Address Record
An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Page 439: System Screen
Chapter 25 DNS Figure 236 Private DNS Server Example If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 25.6 System Screen Click ADVANCED >...
Page 440: Figure 237 Advanced > Dns > System Dns
(FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Page 441: Adding An Address Record
This is the index number of the name server record. Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. From This field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user.
Page 442: Inserting A Name Server Record
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. IP Address If this entry is for one of the WAN ports on a ZyWALL with multiple WAN ports, select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box.
Page 443: Dns Cache
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Leave this field blank if all domain zones are served by the specified DNS server(s).
Page 444: Figure 240 Advanced > Dns > Cache
Chapter 25 DNS Figure 240 ADVANCED > DNS > Cache The following table describes the labels in this screen. Table 150 ADVANCED > DNS > Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the...
Page 445: Configuring Dns Dhcp
Chapter 25 DNS Table 150 ADVANCED > DNS > Cache LABEL DESCRIPTION IP Address This is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries. Remaining Time This is the number of seconds left before the DNS resolution entry is discarded (sec) from the cache.
Page 446: Dynamic Dns
Chapter 25 DNS Table 151 ADVANCED > DNS > DHCP LABEL DESCRIPTION Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server.
Page 447: High Availability
Chapter 25 DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. 25.10.2 High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.
Page 448 Chapter 25 DNS Table 152 ADVANCED > DNS > DDNS LABEL DESCRIPTION Username Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore).
Page 449: Remote Management
H A P T E R Remote Management This chapter provides information on the Remote Management screens. 26.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Page 450: Remote Management Limitations
Chapter 26 Remote Management 3 Telnet 4 HTTPS and HTTP Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. 26.1.1 Remote Management Limitations Remote management does not work when: 1 You have not enabled that service on the interface in the corresponding remote management screen.
Page 451: Www
Chapter 26 Remote Management 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server).
Page 452: Figure 245 Advanced > Remote Mgmt > Www
Chapter 26 Remote Management Figure 245 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 153 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 453: Https Example
Chapter 26 Remote Management Table 153 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service.
Page 454: Avoiding The Browser Warning Messages
Chapter 26 Remote Management If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. Figure 247 Security Certificate 1 (Netscape) Figure 248 Security Certificate 2 (Netscape) 26.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the...
Page 455: Login Screen
Chapter 26 Remote Management • To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix K on page 791 for details. • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received.
Page 456: Figure 250 Replace Certificate
Chapter 26 Remote Management The factory default certificate is a common default certificate for all ZyWALL models. Figure 250 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen.
Page 457: Ssh
Chapter 26 Remote Management Figure 252 Common ZyWALL Certificate 26.5 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come.
Page 458: Ssh Implementation On The Zywall
Chapter 26 Remote Management Figure 254 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 459: Configuring Ssh
Chapter 26 Remote Management 26.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 255 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen.
Page 460: Secure Telnet Using Ssh Examples
Chapter 26 Remote Management 26.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 26.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
Page 461: Secure Ftp Using Ssh Example
Chapter 26 Remote Management 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 462: Telnet
Chapter 26 Remote Management Figure 259 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 463: Ftp
Chapter 26 Remote Management The following table describes the labels in this screen. Table 155 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 464: Snmp
Chapter 26 Remote Management The following table describes the labels in this screen. Table 156 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 465: Supported Mibs
Chapter 26 Remote Management Figure 262 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 466: Snmp Traps
A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Page 467: Dns
Chapter 26 Remote Management The following table describes the labels in this screen. Table 158 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
Page 468: Introducing Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Page 469: Figure 265 Advanced > Remote Mgmt > Cnm
Chapter 26 Remote Management Figure 265 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 160 ADVANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
Page 470 LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
Page 471: Upnp
H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 27.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 472: Upnp And Zyxel
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 27.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
Page 473: Displaying Upnp Port Mapping
Chapter 27 UPnP Table 161 ADVANCED > UPnP LABEL DESCRIPTION Allow UPnP to pass Select this check box to allow traffic from UPnP-enabled applications to through Firewall bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
Page 474: Installing Upnp In Windows Example
Chapter 27 UPnP Table 162 ADVANCED > UPnP > Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 475: Installing Upnp In Windows Me
Chapter 27 UPnP 27.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 476: Installing Upnp In Windows Xp
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Page 477: Auto-Discover Your Upnp-Enabled Network Device
Chapter 27 UPnP 27.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 478: Web Configurator Easy Access
27.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 479 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 5/35/70 Series User’s Guide...
Page 480 Chapter 27 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 5/35/70 Series User’s Guide...
Page 481: Alg Screen
H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 28.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
Page 482: Alg And Multiple Wan
Chapter 28 ALG Screen 28.1.3 ALG and Multiple WAN When the ZyWALL has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyWALL does not automatically change the connection to the secondary WAN interfaces.
Page 483: Figure 268 H.323 Alg Example
Chapter 28 ALG Screen • You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and Figure 268 H.323 ALG Example •...
Page 484: Sip
Chapter 28 ALG Screen Figure 270 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
Page 485: Sip Signaling Session Timeout
Chapter 28 ALG Screen Figure 271 SIP ALG Example 28.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
Page 486: Figure 272 Advanced > Alg
Chapter 28 ALG Screen Figure 272 ADVANCED > ALG The following table describes the labels in this screen. Table 163 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Page 487: Reports, Logs And Maintenance
Reports, Logs and Maintenance Reports (489) Logs Screens (501) Maintenance (529)
Page 489: Reports
H A P T E R Reports This chapter contains information about the ZyWALL’s system and threat reports. 29.1 Configuring Reports The System Reports screens display statistics about the network usage of the LAN, DMZ or WLAN computers. The Threat Reports screens display IDP, anti-virus and anti-spam statistics.
Page 490: Figure 273 Reports > System Reports
Chapter 29 Reports Figure 273 REPORTS > SYSTEM REPORTS Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 164 REPORTS > SYSTEM REPORTS LABEL DESCRIPTION Collect Select the check box and click Apply to have the ZyWALL record report data.
Page 491: Viewing Web Site Hits
Chapter 29 Reports All of the recorded reports data is erased when you turn off the ZyWALL. 29.2.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 492: Viewing Host Ip Address
Chapter 29 Reports 29.2.2 Viewing Host IP Address In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Page 493: Viewing Protocol/Port
Chapter 29 Reports 29.2.3 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. Figure 276 REPORTS >...
Page 494: System Reports Specifications
Chapter 29 Reports 29.2.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 168 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Page 495: Table 169 Reports > Threat Reports > Idp
Chapter 29 Reports The following table describes the labels in this screen. Table 169 REPORTS > THREAT REPORTS > IDP LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect IDP statistics. Statistics The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 496: Anti-Virus Threat Reports Screen
Chapter 29 Reports Figure 278 REPORTS > THREAT REPORTS > IDP > Source The statistics display as follows when you display the top entries by destination. Figure 279 REPORTS > THREAT REPORTS > IDP > Destination 29.4 Anti-Virus Threat Reports Screen Click REPORTS >...
Page 497: Figure 281 Reports > Threat Reports > Anti-Virus > Source
Chapter 29 Reports The following table describes the labels in this screen. Table 170 REPORTS > THREAT REPORTS > Anti-Virus LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect anti-virus statistics. Statistics The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Page 498: Anti-Spam Threat Reports Screen
Chapter 29 Reports Figure 282 REPORTS > THREAT REPORTS > Anti-Virus > Destination 29.5 Anti-Spam Threat Reports Screen Click REPORTS > THREAT REPORTS > Anti-Spam to display the Threat Reports Anti-Spam screen. This screen displays anti-spam statistics. Figure 283 REPORTS > THREAT REPORTS > Anti-Spam The following table describes the labels in this screen.
Page 499 Chapter 29 Reports Table 171 REPORTS > THREAT REPORTS > Anti-Spam (continued) LABEL DESCRIPTION Phishing Mail This field displays the number of e-mails that the ZyWALL has classified as phishing. Detected No Score Mail This field displays the number of e-mails for which the ZyWALL did not receive a Detected spam score.
Page 500: Figure 284 Reports > Threat Reports > Anti-Spam > Source
Chapter 29 Reports Figure 284 REPORTS > THREAT REPORTS > Anti-Spam > Source The statistics display as follows when you display the score distribution. Figure 285 REPORTS > THREAT REPORTS > Anti-Spam > Score Distribution ZyWALL 5-H User’s Guide...
Page 501: Logs Screens
H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 30.3.1 on page 507 for example log message explanations. 30.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 502: Log Description Example
Chapter 30 Logs Screens The following table describes the labels in this screen. Table 172 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 30.3 on page 504) display in the drop-down list box. Select a category of logs to view;...
Page 503: About The Certificate Not Trusted Log
Chapter 30 Logs Screens Table 173 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Page 504: Configuring Log Settings
Chapter 30 Logs Screens Figure 288 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Page 505: Figure 289 Logs > Log Settings
Chapter 30 Logs Screens Figure 289 LOGS > Log Settings ZyWALL 5/35/70 Series User’s Guide...
Page 506: Table 174 Logs > Log Settings
Chapter 30 Logs Screens The following table describes the labels in this screen. Table 174 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 507: Log Descriptions
Chapter 30 Logs Screens Table 174 LOGS > Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes...
Page 508 Chapter 30 Logs Screens Table 175 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router got the time and date from the NTP server. Time initialized by NTP server The router was not able to connect to the Daytime server. Connect to Daytime server fail The router was not able to connect to the Time server.
Page 509: Table 176 System Error Logs
Chapter 30 Logs Screens Table 176 System Error Logs LOG MESSAGE DESCRIPTION This attempt to create a NAT session exceeds the maximum %s exceeds the max. number of NAT session table entries allowed to be created per number of session per host.
Page 510: Table 178 Tcp Reset Logs
Chapter 30 Logs Screens Table 178 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.) sent TCP RST The router sent a TCP reset packet when the number of TCP Exceed TCP MAX...
Page 511: Table 181 Cdr Logs
Chapter 30 Logs Screens Table 180 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry. blocked: ICMP The firewall does not support this kind of ICMP packets Unsupported/out-of-order ICMP: or the ICMP packets are out of order.
Page 512: Table 184 Content Filtering Logs
Chapter 30 Logs Screens Table 184 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined %s: Keyword blocking keyword. The web site is not in a trusted domain, and the router blocks all traffic %s: Not in trusted web except trusted domain sites.
Page 513 Chapter 30 Logs Screens Table 185 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an ICMP IP spoofing attack on the WAN ip spoofing - WAN ICMP port.
Page 514: Table 186 Remote Management Logs
Chapter 30 Logs Screens Table 186 Remote Management Logs LOG MESSAGE DESCRIPTION Attempted use of FTP service was blocked according to Remote Management: FTP denied remote management settings. Attempted use of TELNET service was blocked Remote Management: TELNET denied according to remote management settings. Attempted use of HTTP or UPnP service was blocked Remote Management: HTTP or UPnP according to remote management settings.
Page 515: Table 189 Ike Logs
Chapter 30 Logs Screens Table 188 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time inbound traffic for a certain time period. You can use the "ipsec timer out, disconnect chk_conn"...
Page 516 Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The displayed ID information did not match between the two vs. My Remote <My remote> - ends of the connection. <My remote> The displayed ID information did not match between the two vs.
Page 517 Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 1 encryption algorithm did not Rule [%d] Phase 1 encryption match between the router and the peer. algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not Rule [%d] Phase 1 match between the router and the peer.
Page 518: Table 190 Pki Logs
Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 key lengths (with the AES Rule [%d] Phase 2 key length encryption algorithm) did not match between the router and mismatch the peer. The IP address for the domain name of the peer gateway in Remote Gateway Addr in rule the listed rule changed to the listed IP address.
Page 519: Table 191 Certificate Path Verification Failure Reason Codes
Chapter 30 Logs Screens Table 190 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received a corrupted ARL (Authority Revocation List) from Failed to decode the the LDAP server whose address and port are recorded in the Source received ARL field.
Page 520: Table 192 802.1X Logs
Chapter 30 Logs Screens Table 191 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 192 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database. Local User Database accepts user.
Page 521: Table 193 Acl Setting Notes
Chapter 30 Logs Screens Table 193 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN. (D to L) DMZ to LAN ACL set for packets traveling from the DMZ to the LAN.
Page 522: Table 195 Idp Logs
Chapter 30 Logs Screens Table 194 ICMP Notes (continued) TYPE CODE DESCRIPTION Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded...
Page 523: Table 196 Av Logs
Chapter 30 Logs Screens Table 195 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device attempted to check for the latest available signature version. Check signature %s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware.
Page 524: Table 197 As Logs
Chapter 30 Logs Screens Table 196 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not installed. The turbo card is not ready , please insert the card and reboot! The device is updating the signature file. The system is doing signature update now , please wait! Table 197 AS Logs...
Page 525 Chapter 30 Logs Screens Table 197 AS Logs (continued) LOG MESSAGE DESCRIPTION The spam score (listed) for the e-mail with the listed source and "This is a phishing mail subject was higher than the spam score threshold. The anti-spam - Spam Score:%d Mail external database identified the e-mail as a phishing mail.
Page 526: Syslog Logs
Chapter 30 Logs Screens 30.4 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
Page 527: Table 199 Rfc-2408 Isakmp Payload Types
Chapter 30 Logs Screens Table 198 Syslog Logs (continued) LOG MESSAGE DESCRIPTION This message is sent by the device ("RAS" displays as the Event Log: <Facility*8 + system name if you haven’t configured one) at the time Severity>Mon dd hr:mm:ss when this syslog is generated.
Page 528 Chapter 30 Logs Screens ZyWALL 5/35/70 Series User’s Guide...
Page 529: Maintenance
H A P T E R Maintenance This chapter displays information on the maintenance screens. 31.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 31.2 General Setup and System Name General Setup contains administrative and system-related information.
Page 530: Configuring Password
Chapter 31 Maintenance Figure 290 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 200 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 531: Time And Date
Chapter 31 Maintenance Figure 291 MAINTENANCE > Password The following table describes the labels in this screen. Table 201 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 532: Figure 292 Maintenance > Time And Date
Chapter 31 Maintenance Figure 292 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 202 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 533 Chapter 31 Maintenance Table 202 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 534: Pre-Defined Ntp Time Server Pools
Chapter 31 Maintenance 31.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
Page 535: Introduction To Transparent Bridging
Chapter 31 Maintenance Figure 294 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 295 Synchronization Fail 31.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards.
Page 536: Transparent Firewalls
Chapter 31 Maintenance For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Page 537: Figure 296 Maintenance > Device Mode (Router Mode)
Chapter 31 Maintenance You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. The following applies when the ZyWALL is in router mode. Figure 296 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen.
Page 538: Configuring Device Mode (Bridge)
Chapter 31 Maintenance 31.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall).
Page 539: F/W Upload Screen
Click Reset to begin configuring this screen afresh. 31.10 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Page 540: Figure 298 Maintenance > Firmware Upload
Chapter 31 Maintenance Figure 298 MAINTENANCE > Firmware Upload The following table describes the labels in this screen. Table 206 MAINTENANCE > Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 541: Backup And Restore
Chapter 31 Maintenance Figure 300 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 542: Backup Configuration
Chapter 31 Maintenance Figure 302 MAINTENANCE > Backup and Restore 31.11.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 543: Back To Factory Defaults
Chapter 31 Maintenance After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 303 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 544: Restart Screen
Chapter 31 Maintenance Figure 306 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 63 for more information on the RESET button. 31.12 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
Page 545: Smt And Troubleshooting
SMT and Troubleshooting Introducing the SMT (547) SMT Menu 1 - General Setup (555) WAN and Dial Backup Setup (561) LAN Setup (575) Internet Access (581) DMZ Setup (587) Route Setup (591) Wireless Setup (595) Remote Node Setup (601) IP Static Route Setup (611) Network Address Translation (NAT) (615) Introducing the ZyWALL Firewall (635) Filter Configuration (637)
Page 546 Troubleshooting (705)
Page 547: Introducing The Smt
H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 32.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 548: Entering The Password
Chapter 32 Introducing the SMT Figure 308 Initial Screen Copyright (c) 1994 - 2007 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
Page 549: Main Menu
This guide uses the ZyWALL 70 menus as an example. The menus may vary slightly for different ZyWALL models. Not all fields or menus are available on all models. Figure 310 Main Menu (Router Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1.
Page 550: Figure 311 Main Menu (Bridge Mode)
Chapter 32 Introducing the SMT Figure 311 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
Page 551: Smt Menus Overview
Chapter 32 Introducing the SMT Table 209 Main Menu Summary MENU TITLE FUNCTION IP Routing Policy Setup Configure and display policies for use in IP policy routing. Schedule Setup Use this menu to schedule outgoing calls. Exit Use this menu to exit (necessary for remote configuration). 32.3.2 SMT Menus Overview The following table gives you an overview of your ZyWALL’s various SMT menus.
Page 552: Changing The System Password
Chapter 32 Introducing the SMT Table 210 SMT Menus Overview (continued) MENUS SUB MENUS 15 NAT Setup 15.1 Address Mapping Sets 15.1.x Address Mapping 15.1.x.x Address Rules Mapping Rule 15.2 NAT Server Sets 15.2.x NAT Server Setup 15.2.x.x - NAT Server Configuration 15.3 Trigger Ports 15.3.x Trigger Port Setup...
Page 553: Resetting The Zywall
Chapter 32 Introducing the SMT Figure 312 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER].
Page 554 Chapter 32 Introducing the SMT ZyWALL 5/35/70 Series User’s Guide...
Page 555: Smt Menu 1 - General Setup
H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 33.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Page 556: Figure 314 Menu 1: General Setup (Bridge Mode)
Chapter 33 SMT Menu 1 - General Setup Table 211 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
Page 557: Configuring Dynamic Dns
Chapter 33 SMT Menu 1 - General Setup 33.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field.
Page 558: Figure 316 Menu 1.1.1: Ddns Host Summary
Chapter 33 SMT Menu 1 - General Setup Figure 316 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 559: Figure 317 Menu 1.1.1: Ddns Edit Host
Chapter 33 SMT Menu 1 - General Setup Figure 317 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A...
Page 560 Chapter 33 SMT Menu 1 - General Setup Table 215 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
Page 561: Wan And Dial Backup Setup
H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 34.1 Introduction to WAN, 3G WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus.
Page 562: Dial Backup
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 216 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 563: Advanced Wan Setup
Chapter 34 WAN and Dial Backup Setup Figure 319 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200...
Page 564: Figure 320 Menu 2.1: Advanced Wan Setup
Chapter 34 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 565: Remote Node Profile (Backup Isp)
Chapter 34 WAN and Dial Backup Setup Table 219 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 566: Table 220 Menu 11.3: Remote Node Profile (Backup Isp)
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 220 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight Name characters.
Page 567: Editing Tcp/Ip Options
Chapter 34 WAN and Dial Backup Setup 34.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Not all fields are available on all models.
Page 568: Editing Login Script
Chapter 34 WAN and Dial Backup Setup Table 221 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 569: Figure 323 Menu 11.3.3: Remote Node Script
Chapter 34 WAN and Dial Backup Setup To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know exactly whether it is upper or lower case.
Page 570: Remote Node Filter
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 222 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Page 571: Modem Setup
Chapter 34 WAN and Dial Backup Setup 34.4.1 3G Modem Setup From the main menu, enter 2 to open menu 2 on the ZyWALL that supports a 3G card. Figure 325 3G Modem Setup in WAN Setup (ZyWALL 5) Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A...
Page 572: Figure 326 Menu 11.2: Remote Node Profile (3G Wan)
Chapter 34 WAN and Dial Backup Setup Figure 326 Menu 11.2: Remote Node Profile (3G WAN) Menu 11.2 - Remote Node Profile (3G WAN) Rem Node Name= WAN 2 Active= Yes Edit IP= No Outgoing: Edit Script Options= No My Login= test My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP...
Page 573 Chapter 34 WAN and Dial Backup Setup Table 224 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Always On Press [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic. Select No to have this connection act as a dial-up connection.
Page 574 Chapter 34 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide...
Page 575: Lan Setup
H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Page 576: Tcp/Ip And Dhcp Ethernet Setup Menu
Chapter 35 LAN Setup Figure 328 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 577: Figure 330 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
Chapter 35 LAN Setup Figure 330 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1...
Page 578: Table 226 Menu 3.2: Lan Tcp/Ip Setup Fields
Chapter 35 LAN Setup Table 225 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Page 579: Ip Alias Setup
Chapter 35 LAN Setup 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 580 Chapter 35 LAN Setup ZyWALL 5/35/70 Series User’s Guide...
Page 581: Internet Access
H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 582: Figure 332 Menu 4: Internet Access Setup (Ethernet)
Chapter 36 Internet Access Figure 332 Menu 4: Internet Access Setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 583: Configuring The Pptp Client
Chapter 36 Internet Access Table 228 Menu 4: Internet Access Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Enter the gateway IP address associated with your static IP. Address Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation...
Page 584: Configuring The Pppoe Client
Chapter 36 Internet Access Figure 333 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 585: Basic Setup Complete
Chapter 36 Internet Access Figure 334 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 586 Chapter 36 Internet Access ZyWALL 5/35/70 Series User’s Guide...
Page 587: Dmz Setup
H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 335 Menu 5: DMZ Setup Menu 5 - DMZ Setup...
Page 588: Tcp/Ip Setup
Chapter 37 DMZ Setup 37.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 127. 37.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 337 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1.
Page 589: Ip Alias Setup
Chapter 37 DMZ Setup DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 42 on page 615) in menus 15.1 and 15.2. 37.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
Page 590 Chapter 37 DMZ Setup ZyWALL 5/35/70 Series User’s Guide...
Page 591: Route Setup
H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 340 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 592: Traffic Redirect
Chapter 38 Route Setup The following table describes the fields in this menu. Table 231 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility. If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) in the Check Point field, the ZyWALL will use...
Page 593: Route Failover
Chapter 38 Route Setup 38.4 Route Failover This menu allows you to configure how the ZyWALL uses the route assessment ping check function. Figure 343 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 594 Chapter 38 Route Setup ZyWALL 5/35/70 Series User’s Guide...
Page 595: Wireless Setup
To edit the wireless LAN configuration, enter 1 to open Menu 7.1 - Wireless Setup as shown next. Figure 344 Menu 7.1: Wireless Setup Menu 7.1 - Wireless Setup Enable Wireless LAN= No Bridge Channel= WLAN ESSID= ZyXEL Hide ESSID= No Channel ID= CH06 2437MHz RTS Threshold= 2432 Frag. Threshold= 2432 WEP= Disable...
Page 596: Table 234 Menu 7.1: Wireless Setup
Chapter 39 Wireless Setup The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 234 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable...
Page 597: Mac Address Filter Setup
Chapter 39 Wireless Setup Table 234 Menu 7.1: Wireless Setup FIELD DESCRIPTION Key 1 to Key The WEP keys are used to encrypt data. Both the ZyWALL and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
Page 598: Tcp/Ip Setup
Chapter 39 Wireless Setup The following table describes the fields in this menu. Table 235 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering, press [SPACE BAR] to select Yes and press [ENTER]. Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table.
Page 599: Ip Alias Setup
Chapter 39 Wireless Setup Figure 347 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None TCP/IP Setup: Client IP Pool: Starting Address= N/A IP Address= 0.0.0.0 Size of Client IP Pool= N/A IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A...
Page 600: Figure 348 Menu 7.2.1: Ip Alias Setup
Chapter 39 Wireless Setup Figure 348 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
Page 601: Remote Node Setup
H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 602: Remote Node Profile Setup
Chapter 40 Remote Node Setup 40.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. Not all fields are available on all models. 40.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation.
Page 603: Pppoe Encapsulation
Chapter 40 Remote Node Setup Table 236 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it correctly.
Page 604: Figure 351 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
Chapter 40 Remote Node Setup Figure 351 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing: Period(hr)= 0...
Page 605: Pptp Encapsulation
Chapter 40 Remote Node Setup 40.3.2.3 Metric Section 8.5 on page 149 for details on the Metric field. Table 237 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
Page 606: Edit Ip
Chapter 40 Remote Node Setup Figure 352 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
Page 607: Figure 353 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
Chapter 40 Remote Node Setup Figure 353 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
Page 608: Remote Node Filter
Chapter 40 Remote Node Setup Table 239 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for...
Page 609: Figure 354 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
Chapter 40 Remote Node Setup Figure 354 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 355 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets:...
Page 610 Chapter 40 Remote Node Setup ZyWALL 5/35/70 Series User’s Guide...
Page 611: Ip Static Route Setup
H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 41.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 612: Figure 356 Menu 12: Ip Static Route Setup
Chapter 41 IP Static Route Setup Figure 356 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 16. ________ 31. ________ 46. ________ 2. Reserved 17. ________ 32. ________ 47. ________ 3. ________ 18. ________ 33.
Page 613 Chapter 41 IP Static Route Setup Table 240 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is Address always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
Page 614 Chapter 41 IP Static Route Setup ZyWALL 5/35/70 Series User’s Guide...
Page 615: Network Address Translation (Nat)
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 42.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 42.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 616: Figure 358 Menu 4: Applying Nat For Internet Access
Chapter 42 Network Address Translation (NAT) Figure 358 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Page 617: Nat Setup
Chapter 42 Network Address Translation (NAT) The following table describes the fields in this menu. Table 241 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Address (menu 15.1 - see...
Page 618: Address Mapping Sets
Chapter 42 Network Address Translation (NAT) Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 42.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 361 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1.
Page 619: Table 242 Sua Address Mapping Rules
Chapter 42 Network Address Translation (NAT) Menu 15.1.255 is read-only. Table 242 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 620: Figure 363 Menu 15.1.1: First Set
Chapter 42 Network Address Translation (NAT) Figure 363 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server...
Page 621: Table 243 Fields In Menu 15.1.1
Chapter 42 Network Address Translation (NAT) Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 243 Fields in Menu 15.1.1 FIELD DESCRIPTION...
Page 622: Figure 364 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
Chapter 42 Network Address Translation (NAT) Figure 364 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 623: Configuring A Server Behind Nat
Chapter 42 Network Address Translation (NAT) 42.3 Configuring a Server behind NAT If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
Page 624: Figure 367 15.2.X.x: Nat Server Configuration
Chapter 42 Network Address Translation (NAT) 4 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NAT Server Configuration (see the next figure). Figure 367 15.2.x.x: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1...
Page 625: General Nat Examples
Chapter 42 Network Address Translation (NAT) Figure 368 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A...
Page 626: Figure 370 Nat Example 1
Chapter 42 Network Address Translation (NAT) Figure 370 NAT Example 1 Figure 371 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)=...
Page 627: Example 2: Internet Access With A Default Server
Chapter 42 Network Address Translation (NAT) 42.4.2 Example 2: Internet Access with a Default Server Figure 372 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
Page 628: Figure 374 Nat Example 3
Chapter 42 Network Address Translation (NAT) 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN.
Page 629: Figure 375 Example 3: Menu 11.1.2
Chapter 42 Network Address Translation (NAT) Figure 375 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None...
Page 630: Figure 377 Example 3: Final Menu 15.1.1
Chapter 42 Network Address Translation (NAT) Figure 377 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
Page 631: Example 4: Nat Unfriendly Application Programs
Chapter 42 Network Address Translation (NAT) 42.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 632: Trigger Port Forwarding
Chapter 42 Network Address Translation (NAT) Figure 381 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12...
Page 633: Figure 382 Menu 15.3.1: Trigger Port Setup
Chapter 42 Network Address Translation (NAT) Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN interface.
Page 634 Chapter 42 Network Address Translation (NAT) Table 246 Menu 15.3.1: Trigger Port Setup (continued) FIELD DESCRIPTION End Port Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.
Page 635: Introducing The Zywall Firewall
H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 43.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 636: Figure 384 Menu 21.2: Firewall Setup
Chapter 43 Introducing the ZyWALL Firewall Figure 384 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.
Page 637: Filter Configuration
H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 638: The Filter Structure Of The Zywall
Chapter 44 Filter Configuration 44.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 639: Figure 386 Filter Rule Process
Chapter 44 Filter Configuration Figure 386 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 640: Configuring A Filter Set
Chapter 44 Filter Configuration 44.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 387 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Page 641: Configuring A Filter Rule
Chapter 44 Filter Configuration Table 247 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
Page 642: Configuring A Tcp/Ip Filter Rule
Chapter 44 Filter Configuration 44.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.
Page 643 Chapter 44 Filter Configuration Table 249 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater.
Page 644: Configuring A Generic Filter Rule
Chapter 44 Filter Configuration Figure 390 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. ZyWALL 5/35/70 Series User’s Guide...
Page 645: Figure 391 Menu 21.1.1.1: Generic Filter Rule
Chapter 44 Filter Configuration For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 646: Example Filter
Chapter 44 Filter Configuration Table 250 Generic Filter Rule Menu Fields FIELD DESCRIPTION Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Page 647: Figure 393 Example Filter: Menu 21.1.3.1
Chapter 44 Filter Configuration Figure 393 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 648: Filter Types And Nat
Chapter 44 Filter Configuration After you’ve created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile. 3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. 4 This brings you to menu 11.1.4.
Page 649: Firewall
Chapter 44 Filter Configuration 44.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 650: Applying Lan Filters
Chapter 44 Filter Configuration If you do not activate the firewall, it is advisable to apply filters. 44.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Page 651: Applying Remote Node Filters
Chapter 44 Filter Configuration 44.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas.
Page 652 Chapter 44 Filter Configuration ZyWALL 5/35/70 Series User’s Guide...
Page 653: Snmp Configuration
H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 45.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 654: Snmp Traps
A trap is sent to the manager when receiving any RFC-1215) SNMP get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Page 655: System Information & Diagnosis
H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Page 656: Figure 401 Menu 24.1: System Maintenance: Status
Chapter 46 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 401 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 08:17:55...
Page 657: System Information And Console Port Speed
Chapter 46 System Information & Diagnosis Table 253 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION RxPkts This is the number of received packets on this port. Cols This is the number of collisions on this port. Tx B/s This field shows the transmission speed in Bytes per second on this port. Rx B/s This field shows the reception speed in Bytes per second on this port.
Page 658: Console Port Speed
Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Country Code Refers to the country code of the firmware. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
Page 659: Log And Trace
Chapter 46 System Information & Diagnosis Figure 404 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 46.4 Log and Trace There are two logging facilities in the ZyWALL.
Page 660: Syslog Logging
Chapter 46 System Information & Diagnosis Figure 406 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up 55 Thu Jul...
Page 661 L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated...
Page 662 IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL:...
Page 663: Call-Triggering Packet
Chapter 46 System Information & Diagnosis 5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol ("TCP","UDP","ICMP", "IGMP", "GRE", "ESP")
Page 664: Diagnostic
Chapter 46 System Information & Diagnosis Figure 408 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00 Fragment Offset...
Page 665: Wan Dhcp
Chapter 46 System Information & Diagnosis Figure 409 Menu 24.4: System Maintenance: Diagnostic (ZyWALL 5) Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/3G Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A...
Page 666: Table 256 System Maintenance Menu Diagnostic
Chapter 46 System Information & Diagnosis Table 256 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Page 667: Firmware And Configuration File Maintenance
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Page 668: Backup Configuration
Chapter 47 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 669: Using The Ftp Command From The Command Line
331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 670: Gui-Based Ftp Clients
Chapter 47 Firmware and Configuration File Maintenance 47.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 258 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server. Login Type Anonymous.
Page 671: Tftp Command Example
Chapter 47 Firmware and Configuration File Maintenance 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.
Page 672: Restore Configuration
Chapter 47 Firmware and Configuration File Maintenance Figure 413 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 414 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time.
Page 673: Restore Using Ftp
Chapter 47 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL.
Page 674: Restore Using Ftp Session Example
Chapter 47 Firmware and Configuration File Maintenance 47.4.2 Restore Using FTP Session Example Figure 418 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 675: Uploading Firmware And Configuration Files
Chapter 47 Firmware and Configuration File Maintenance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 422 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
Page 676: Configuration File Upload
Chapter 47 Firmware and Configuration File Maintenance Figure 423 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 677: Ftp File Upload Command From The Dos Prompt Example
Chapter 47 Firmware and Configuration File Maintenance 47.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
Page 678: Tftp Upload Command Example
Chapter 47 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
Page 679: Example Xmodem Firmware Upload Using Hyperterminal
Chapter 47 Firmware and Configuration File Maintenance Figure 426 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 680: Example Xmodem Configuration Upload Using Hyperterminal
Chapter 47 Firmware and Configuration File Maintenance Figure 428 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 681: System Maintenance Menus 8 To 10
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.
Page 682: Command Syntax
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 431 Valid Commands Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 683: Call Control Support
Chapter 48 System Maintenance Menus 8 to 10 Table 260 Valid Commands COMMAND DESCRIPTION These commands configure bandwidth management settings and display bandwidth management information. These commands configure intrusion detection and prevention settings. These commands configure anti-virus settings. These commands configure anti-spam settings. certificates These commands display certificate information and configure certificate settings.
Page 684: Call History
Chapter 48 System Maintenance Menus 8 to 10 Figure 433 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 685: Time And Date Setting
Chapter 48 System Maintenance Menus 8 to 10 Figure 434 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 262 Call History FIELD DESCRIPTION Phone Number...
Page 686: Figure 435 Menu 24: System Maintenance
Chapter 48 System Maintenance Menus 8 to 10 Figure 435 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10.
Page 687: Table 263 Menu 24.10 System Maintenance: Time And Date Setting
Chapter 48 System Maintenance Menus 8 to 10 The following table describes the fields in this screen. Table 263 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 688 Chapter 48 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide...
Page 689: Remote Management
H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 49.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access.
Page 690: Figure 437 Menu 24.11 - Remote Management Control
Chapter 49 Remote Management Figure 437 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2 Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert Port = 22...
Page 691: Remote Management Limitations
Chapter 49 Remote Management Table 264 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to Client authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that Certificates the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see...
Page 692 Chapter 49 Remote Management ZyWALL 5/35/70 Series User’s Guide...
Page 693: Ip Policy Routing
H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 694: Ip Routing Policy Setup
Chapter 50 IP Policy Routing Table 265 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 266 on page 694 detailed information.
Page 695: Figure 439 Menu 25.1: Ip Routing Policy Setup
Chapter 50 IP Policy Routing 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 439 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1...
Page 696: Applying Policy To Packets
Chapter 50 IP Policy Routing Table 267 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched.
Page 697: Ip Policy Routing Example
Chapter 50 IP Policy Routing Figure 440 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 698: Figure 441 Example Of Ip Policy Routing
Chapter 50 IP Policy Routing Figure 441 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
Page 699: Figure 443 Ip Routing Policy Example 2
Chapter 50 IP Policy Routing 2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100).
Page 700 Chapter 50 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide...
Page 701: Call Scheduling
H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 702: Figure 445 Schedule Set Setup
Chapter 51 Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 703: Figure 446 Applying Schedule Set(S) To A Remote Node (Pppoe)
Chapter 51 Call Scheduling Table 269 Schedule Set Setup (continued) FIELD DESCRIPTION If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 704: Figure 447 Applying Schedule Set(S) To A Remote Node (Pptp)
Chapter 51 Call Scheduling Figure 447 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
Page 705: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access •...
Page 706: Zywall Access And Login
Chapter 52 Troubleshooting 52.2 ZyWALL Access and Login I forgot the LAN IP address for the ZyWALL. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
Page 707 Chapter 52 Troubleshooting • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix E on page 733. Your ZyWALL is a DHCP server by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address.
Page 708: Internet Access
Chapter 52 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.
Page 709: Wireless Router/Ap Troubleshooting
Chapter 52 Troubleshooting I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5.4 on page 2 Check the schedule rules.
Page 710: Upnp
Chapter 52 Troubleshooting 5 Check that both the ZyWALL and your wireless station are using the same wireless and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyWALL.
Page 711: Appendices And Index
Appendices and Index Product Specifications (713) Hardware Installation (721) Pop-up Windows, JavaScripts and Java Permissions (725) Removing and Installing a Fuse (731) Setting up Your Computer’s IP Address (733) IP Addresses and Subnetting (749) Common Services (757) Wireless LANs (761) Windows 98 SE/Me Requirements for Anti-Virus Message Display (775) VPN Setup (779) Importing Certificates (791)
Page 713: Appendix A Product Specifications
Console RS-232 DB9F Dial Backup RS-232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card, 3G card or a ZyWALL Turbo extension card Operation Temperature 0º C ~ 50º C Storage Temperature -30º C ~ 60º C...
Page 714: Table 271 Firmware Specifications
ZyWALL wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
Page 715: Table 272 Feature Specifications
FEATURE DESCRIPTION Firewall You can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.
Page 716: Table 273 Performance
Simultaneous IPSec VPN Connections Compatible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyWALL at the time of writing. It also shows the security features that each card supports. Check the product page on the www.zyxel.com website for updates on ZyXEL WLAN cards that you can use in the ZyWALL.
Page 717 LAN PCMCIA or CardBus card, 3G card or ZyWALL Turbo Card (to avoid damage). Slide the connector end of the card into the slot as shown next. Only certain ZyXEL wireless LAN cards or 3G card are compatible with the ZyWALL.
Page 718: Figure 448 Wlan Card Installation
Appendix A Product Specifications Figure 448 WLAN Card Installation Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST.) EUROPEAN PLUG STANDARDS AC POWER ADAPTOR MODEL...
Page 719: Figure 449 Console/Dial Backup Port Pin Layout
Appendix A Product Specifications UNITED KINGDOM PLUG STANDARDS POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS TUV (BS EN 60950-1) AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZS)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
Page 720: Table 275 Console/Dial Backup Port Pin Assignments
Appendix A Product Specifications Table 275 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD Pin 3 = DTE-TXD...
Page 721: Appendix B Hardware Installation
P P E N D I X Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them.
Page 722: Figure 450 Attaching Rubber Feet
Appendix B Hardware Installation Figure 450 Attaching Rubber Feet Do not block the ventilation holes. Leave space between ZyWALLs when stacking. Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
Page 723: Figure 451 Attaching Mounting Brackets And Screws
Appendix B Hardware Installation Rack-Mounted Installation 1 Align one bracket with the holes on one side of the ZyWALL and secure it with the bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 451 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack.
Page 724 Appendix B Hardware Installation ZyWALL 5/35/70 Series User’s Guide...
Page 725: Appendix C Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Page 726: Figure 454 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 454 Internet Options 3 Click Apply to save this setting.
Page 727: Figure 455 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 455 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 456 Pop-up Blocker Settings ZyWALL 5/35/70 Series User’s Guide...
Page 728: Figure 457 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 729: Figure 458 Security Settings - Java Scripting
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 458 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 730: Figure 460 Java (Sun)
Appendix C Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 460 Java (Sun) ZyWALL 5/35/70 Series User’s Guide...
Page 731: Appendix D Removing And Installing A Fuse
P P E N D I X Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications.
Page 732 Appendix D Removing and Installing a Fuse ZyWALL 5/35/70 Series User’s Guide...
Page 733: Appendix E Setting Up Your Computer's Ip Address
P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 734: Figure 461 Windows 95/98/Me: Network: Configuration
Appendix E Setting up Your Computer’s IP Address Figure 461 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 735: Figure 462 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
Appendix E Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. •...
Page 736: Figure 463 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
Appendix E Setting up Your Computer’s IP Address Figure 463 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Page 737: Figure 464 Windows Xp: Start Menu
Appendix E Setting up Your Computer’s IP Address Figure 464 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 465 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 5/35/70 Series User’s Guide...
Page 738: Figure 466 Windows Xp: Control Panel: Network Connections: Properties
Appendix E Setting up Your Computer’s IP Address Figure 466 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 467 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 739: Figure 468 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Appendix E Setting up Your Computer’s IP Address Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 740: Figure 469 Windows Xp: Advanced Tcp/Ip Properties
Appendix E Setting up Your Computer’s IP Address Figure 469 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 741: Figure 470 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Appendix E Setting up Your Computer’s IP Address Figure 470 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
Page 742: Figure 471 Macintosh Os 8/9: Apple Menu
Appendix E Setting up Your Computer’s IP Address Figure 471 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 472 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Page 743: Figure 473 Macintosh Os X: Apple Menu
Appendix E Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel.
Page 744: Figure 474 Macintosh Os X: Network
Appendix E Setting up Your Computer’s IP Address Figure 474 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 745: Figure 475 Red Hat 9.0: Kde: Network Configuration: Devices
Appendix E Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 746: Figure 477 Red Hat 9.0: Kde: Network Configuration: Dns
Appendix E Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 747: Figure 479 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Appendix E Setting up Your Computer’s IP Address Figure 479 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter in the field. Type static BOOTPROTO= = followed by the IP address (in dotted decimal notation) and type IPADDR NETMASK...
Page 748: Figure 483 Red Hat 9.0: Checking Tcp/Ip Properties
Appendix E Setting up Your Computer’s IP Address Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 483 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
Page 749: Appendix F Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.
Page 750: Table 278 Allowed Ip Address Range By Class
Appendix F IP Addresses and Subnetting Table 277 Classes of IP Addresses (continued) IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example).
Page 751: Table 279 "Natural" Masks
Appendix F IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The “natural” masks for class A, B and C IP addresses are as follows. Table 279 “Natural” Masks CLASS NATURAL MASK 255.0.0.0 255.255.0.0 255.255.255.0 Subnetting...
Page 752: Table 281 Two Subnets Example
Appendix F IP Addresses and Subnetting Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.255.0. Table 281 Two Subnets Example IP/SUBNET MASK NETWORK NUMBER HOST ID IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001.
Page 753: Table 284 Subnet 1
Appendix F IP Addresses and Subnetting Table 283 Subnet 2 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address: Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 –...
Page 754: Table 286 Subnet 3
Appendix F IP Addresses and Subnetting Table 286 Subnet 3 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.190 192.168.1.191 Table 287 Subnet 4...
Page 755: Table 290 Class B Subnet Planning
Appendix F IP Addresses and Subnetting Table 289 Class C Subnet Planning (continued) NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 756 Appendix F IP Addresses and Subnetting ZyWALL 5/35/70 Series User’s Guide...
Page 757: Appendix G Common Services
CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER...
Page 758 Appendix G Common Services Table 291 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 1720 NetMeeting uses this protocol. HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web.
Page 759 Appendix G Common Services Table 291 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET Remote Telnet. RTSP TCP/UDP The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the...
Page 760 Appendix G Common Services ZyWALL 5/35/70 Series User’s Guide...
Page 761: Appendix H Wireless Lans
P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 762: Figure 485 Basic Service Set
Appendix H Wireless LANs Figure 485 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 763: Figure 486 Infrastructure Wlan
Appendix H Wireless LANs Figure 486 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Page 764: Figure 487 Rts/Cts
Appendix H Wireless LANs Figure 487 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 765: Table 292 Ieee 802.11G
Appendix H Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver.
Page 766: Table 293 Wireless Security Levels
Appendix H Wireless LANs Wireless security methods available on the Product Name [short] are data encryption, wireless client authentication, restricting access by device MAC address and hiding the Product Name [short] identity. The following figure shows the relative effectiveness of these wireless security methods available on your Product Name [short].
Page 767: Types Of Radius Messages
Appendix H Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 768 Appendix H Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Page 769: Table 294 Comparison Of Eap Authentication Types
Appendix H Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Page 770 Appendix H Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Page 771: Figure 488 Wpa(2) With Radius Application Example
Appendix H Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.
Page 772: Figure 489 Wpa(2)-Psk Authentication
Appendix H Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys.
Page 773 Appendix H Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 774 Appendix H Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up.
Page 775: Appendix I Windows 98 Se/Me Requirements For Anti-Virus Message Display
P P E N D I X Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Page 776: Figure 491 Windows 98 Se: Program Task Bar
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 491 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 492 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut.
Page 777: Figure 493 Windows 98 Se: Startup
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 493 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 494 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish.
Page 778: Figure 495 Windows 98 Se: Startup: Select A Title For The Program
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 495 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 496 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 490 on page...
Page 779: Appendix J Vpn Setup
IPSec connections. All users of a dynamic rule have the same pre-shared key. You may need to change the pre- shared key if one of the users leaves. See the support notes at http://www.zyxel.com for configuration examples for software VPN clients.
Page 780: Figure 497 Vpn Rules
Appendix J VPN Setup The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
Page 781: Figure 498 Headquarters Gateway Policy Edit
Appendix J VPN Setup Figure 498 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router. ZyWALL 5/35/70 Series User’s Guide...
Page 782: Figure 499 Branch Office Gateway Policy Edit
Appendix J VPN Setup Figure 499 Branch Office Gateway Policy Edit The IP address 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. ZyWALL 5/35/70 Series User’s Guide...
Page 783: Figure 500 Headquarters Vpn Rule
Appendix J VPN Setup Figure 500 Headquarters VPN Rule Figure 501 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. ZyWALL 5/35/70 Series User’s Guide...
Page 784: Figure 502 Headquarters Network Policy Edit
Appendix J VPN Setup Figure 502 Headquarters Network Policy Edit Activate the network IP addresses on different subnets. ZyWALL 5/35/70 Series User’s Guide...
Page 785: Figure 503 Branch Office Network Policy Edit
Appendix J VPN Setup Figure 503 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
Page 786: Figure 504 Vpn Rule Configured
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly.
Page 787: Vpn Log
Appendix J VPN Setup VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel. View the log via the web configurator LOGS View Log screen or type from sys log disp...
Page 788: Figure 507 Vpn Log Example
Appendix J VPN Setup Figure 507 VPN Log Example ras> sys log disp ike ipsec .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE...
Page 789: Figure 508 Ike/Ipsec Debug Example
Appendix J VPN Setup IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 790 Appendix J VPN Setup Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
Page 791: Appendix K Importing Certificates
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Page 792: Figure 510 Login Screen
Appendix K Importing Certificates Figure 510 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 511 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 5/35/70 Series User’s Guide...
Page 793: Figure 512 Certificate Import Wizard 1
Appendix K Importing Certificates Figure 512 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 513 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 5/35/70 Series User’s Guide...
Page 794: Figure 514 Certificate Import Wizard 3
Appendix K Importing Certificates Figure 514 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 515 Root Certificate Store ZyWALL 5/35/70 Series User’s Guide...
Page 795: Figure 516 Certificate General Information After Import
Appendix K Importing Certificates Figure 516 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 796: Figure 517 Zywall Trusted Ca Screen
Appendix K Importing Certificates Figure 517 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 797: Figure 518 Ca Certificate Example
Appendix K Importing Certificates Figure 518 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 798: Figure 520 Personal Certificate Import Wizard 2
Appendix K Importing Certificates 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 520 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 799: Figure 522 Personal Certificate Import Wizard 4
Appendix K Importing Certificates Figure 522 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 523 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Page 800: Figure 525 Access The Zywall Via Https
Appendix K Importing Certificates Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 525 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Page 801: Appendix L Command Interpreter
Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Page 802: Figure 528 Displaying Log Categories Example
Appendix L Command Interpreter Configuring What You Want the ZyWALL to Log 1 Use the command to load the log setting buffer that allows you to sys logs load configure which logs the ZyWALL is to record. 2 Use to view a list of the log categories. sys logs category Figure 528 Displaying Log Categories Example ras>...
Page 803 Appendix L Command Interpreter Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Page 804: Figure 530 Routing Command Example
Appendix L Command Interpreter Figure 530 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request.
Page 805: Figure 531 Backup Gateway
Appendix L Command Interpreter is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B.
Page 806: Figure 532 Managing The Bandwidth Of An Ipsec Sa
Appendix L Command Interpreter Figure 532 Managing the Bandwidth of an IPSec SA with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router.
Page 807: Figure 534 Routing Command Example
Appendix L Command Interpreter By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key. See the following example. Say you have a VPN rule one that uses AES for the phase 2 encryption and you want it to use 192 bit encryption.
Page 808 Appendix L Command Interpreter ZyWALL 5/35/70 Series User’s Guide...
Page 809: Appendix M Netbios Filter Commands
P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix L on page 801 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 810: Table 296 Netbios Filter Default Settings
Appendix M NetBIOS Filter Commands The filter types and their default settings are as follows. Table 296 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block...
Page 811 Appendix M NetBIOS Filter Commands ZyWALL 5/35/70 Series User’s Guide...
Page 812 Appendix M NetBIOS Filter Commands ZyWALL 5/35/70 Series User’s Guide...
Page 813: Appendix N Brute-Force Password Guessing Protection
P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 814 Appendix N Brute-Force Password Guessing Protection ZyWALL 5/35/70 Series User’s Guide...
Page 815: Appendix O Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 816 Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyWALL 5/35/70 Series User’s Guide...
Page 817: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 818 Appendix O Legal Information ZyWALL 5/35/70 Series User’s Guide...
Page 819: Appendix P Customer Support
• Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 820 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-69 •...
Page 821 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 822 Appendix P Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
Page 823: Index
Index Index Numerics alert message online update packet scan 272, 775 9600 baud real-time alert message scanner types Windows 98/Me requirements anti-virus scan packet types AP (access point) access control Application Layer Gateway. See ALG. active protocol applications asymmetrical routes and encapsulation vs virtual interfaces AT command...
Page 824 Index boot sector virus configuration backup 542, 668 TFTP BPDU configuration restore 542, 672 bridge firewall 69, 141, 536, 538 via console port Bridge Protocol Data Unit. See BPDU. connection ID/name broadcast console port 547, 657 configuration upload budget data bits budget management file backup buffer overflow...
Page 825 Index and transport mode DHCP clients DHCP table ESSID 205, 596, 709 diagnostic Ethernet dial timeout encapsulation 86, 581, 602 Diffie-Hellman key group extended authentication Perfect Forward Secrecy (PFS) Extended Service Set IDentification. See ESSID. digest Extended Service Set, See ESS disclaimer Extensible Authentication Protocol.
Page 826 327, 333 service extended authentication fuse ID content replacement ID type type IP address, remote IPSec router IP address, ZyXEL Device local identity main mode 324, 330 NAT traversal negotiation mode password gateway IP address 583, 607, 613 peer identity...
Page 827 Index Internet access setup 85, 581, 582 Internet Assigned Number Authority. See IANA. Internet Message Access Protocol. See IMAP. Internet Protocol Security. See IPSec. port filter setup intrusions setup firewalls legitimate e-mail host levels of severity of intrusions license key network link type severity levels...
Page 828 Index MyDoom 252, 253, 254 mySecurityZone 266, 280 myZyXEL.com packet filtering packet scan 272, 775 Pairwise Master Key (PMK) 770, 772 566, 572, 605 parity password 61, 530, 548 nailed-up connection 604, 606 path cost 128, 393, 403, 404, 568, 583, 607, 608, 648 Perfect Forward Secrecy.
Page 829 Index preamble mode Telnet precedence remote node private 414, 568, 608, 613 filter 570, 608 private IP address 128, 155 removing and installing fuses product overview reports product registration host IP address 490, 492 protocol filter protocol/port 490, 493 incoming web site hits 490, 491 outgoing...
Page 830 Index manager password life time Trap safety warnings trusted host scanner types SNMP service schedule 603, 606 source address duration source-based routing scheduler spam searching for IDP signatures score secure FTP using SSH Spanning Tree Protocol. See STP. secure Telnet using SSH spoofing security associations.
Page 831 Index filter rule examples setup forum NAT traversal Telnet port mapping Temporal Key Integrity Protocol (TKIP) UPnP Implementers Corp. Temporal Key Integrity Protocol. See TKIP. user authentication terminal emulation user profiles TFTP configuration backup file upload GUI-based clients threshold time and date setting Vantage CNM Daylight Saving Time...
Page 832 286, 292 ZyNOS 658, 668 Wi-Fi Protected Access ZyWALL registration Wi-Fi Protected Access. See WPA. ZyXEL’s Network Operating System. See ZyNOS. Windows Internet Naming Service. See WINS. WinPopup window WINS 130, 132 WINS server wireless channel wireless client WPA supplicants...

This manual is also suitable for:

Zywall 70 Zywall 5 Zywall 35 series Zywall 5 series Zywall 70 series

ZyXEL Communications ZYWALL 35 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Tutorial

Chapter 5 Registration

Chapter 6 LAN Screens

Chapter 7 Bridge Screens

Chapter 8 WAN Screens

Chapter 9 DMZ Screens

Chapter 10 Wireless LAN

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZYWALL 35

Summary of Contents for ZyXEL Communications ZYWALL 35