• Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 5/35/70 Series User’s Guide...
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7
Safety Warnings ZyWALL 5/35/70 Series User’s Guide...
Page 8
Safety Warnings ZyWALL 5/35/70 Series User’s Guide...
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................4 Safety Warnings........................6 Contents Overview ........................9 Table of Contents........................11 List of Figures ......................... 31 List of Tables........................... 45 Part I: Introduction................. 53 Chapter 1 Getting to Know Your ZyWALL....................
Page 12
Table of Contents 2.4.4 HOME Screen: Bridge Mode ..................69 2.4.5 Navigation Panel ......................73 2.4.6 Port Statistics ......................78 2.4.7 Show Statistics: Line Chart ..................79 2.4.8 DHCP Table Screen ....................80 2.4.9 VPN Status ......................... 81 2.4.10 Bandwidth Monitor ....................82 Chapter 3 Wizard Setup ...........................
Page 13
Table of Contents 5.3 Service ..........................122 Part II: Network..................125 Chapter 6 LAN Screens.......................... 127 6.1 LAN, WAN and the ZyWALL ....................127 6.2 IP Address and Subnet Mask .................... 127 6.2.1 Private IP Addresses ....................128 6.3 DHCP ..........................129 6.3.1 IP Pool Setup ......................
Page 14
Table of Contents 8.7 Configuring Load Balancing ....................153 8.7.1 Least Load First ....................... 153 8.7.2 Weighted Round Robin .................... 154 8.7.3 Spillover ........................154 8.8 WAN IP Address Assignment .................... 155 8.9 DNS Server Address Assignment ..................156 8.10 WAN MAC Address ......................156 8.11 WAN ..........................
Page 16
Table of Contents 11.9 Firewall Rule Summary ....................236 11.9.1 Firewall Edit Rule ....................237 11.10 Anti-Probing ....................... 240 11.11 Firewall Thresholds ..................... 241 11.11.1 Threshold Values ....................242 11.12 Threshold Screen ......................242 11.13 Service .......................... 244 11.13.1 Firewall Edit Custom Service ................245 11.14 My Service Firewall Rule Example ................
Page 17
Table of Contents 14.2.1 How the ZyWALL Anti-Virus Scanner Works ............272 14.2.2 Notes About the ZyWALL Anti-Virus ..............273 14.3 General Anti-Virus Setup ....................274 14.4 Signature Searching ......................276 14.4.1 Signature Search Example ..................278 14.5 Signature Update ......................279 14.5.1 mySecurityZone .....................
Page 18
Table of Contents 17.1 Checking Content Filtering Activation ................315 17.2 Viewing Content Filtering Reports ................... 315 17.3 Web Site Submission ....................... 320 Chapter 18 IPSec VPN..........................323 18.1 IPSec VPN Overview ..................... 323 18.1.1 IKE SA Overview ....................324 18.2 VPN Rules (IKE) ......................
Page 19
Table of Contents 19.2 Self-signed Certificates ....................362 19.3 Verifying a Certificate ....................... 362 19.3.1 Checking the Fingerprint of a Certificate on Your Computer ........362 19.4 Configuration Summary ....................363 19.5 My Certificates ........................ 364 19.6 My Certificate Details ..................... 366 19.7 My Certificate Export ......................
Page 20
Table of Contents 21.3 NAT Overview Screen ..................... 398 21.4 NAT Address Mapping ....................399 21.4.1 What NAT Does ..................... 400 21.4.2 NAT Address Mapping Edit .................. 401 21.5 Port Forwarding ......................402 21.5.1 Default Server IP Address ..................403 21.5.2 Port Forwarding: Services and Port Numbers ............
Page 21
Table of Contents 24.9 Maximize Bandwidth Usage With Bandwidth Borrowing ..........426 24.10 Over Allotment of Bandwidth ..................427 24.11 Configuring Summary ....................427 24.12 Configuring Class Setup ....................429 24.12.1 Bandwidth Manager Class Configuration ............430 24.12.2 Bandwidth Management Statistics ..............
Page 22
27.1.1 How Do I Know If I'm Using UPnP? ............... 471 27.1.2 NAT Traversal ......................471 27.1.3 Cautions with UPnP ....................471 27.1.4 UPnP and ZyXEL ....................472 27.2 Configuring UPnP ......................472 27.3 Displaying UPnP Port Mapping ..................473 27.4 Installing UPnP in Windows Example ................
Page 25
Table of Contents 34.4 3G WAN ........................... 570 34.4.1 3G Modem Setup ....................571 34.4.2 Remote Node Profile (3G WAN) ................571 Chapter 35 LAN Setup..........................575 35.1 Introduction to LAN Setup ....................575 35.2 Accessing the LAN Menus ....................575 35.3 LAN Port Filter Setup .......................
List of Figures List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........... 57 Figure 2 VPN Application ........................57 Figure 3 3G WAN Application ......................... 58 Figure 4 ZyWALL 70 Front Panel ......................58 Figure 5 ZyWALL 35 Front Panel ......................
Page 32
List of Figures Figure 39 IDP Configuration for To VPN Traffic ..................108 Figure 40 Firewall Rule for VPN ......................109 Figure 41 SECURITY > VPN > VPN Rules (IKE) ................109 Figure 42 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ..........110 Figure 43 SECURITY >...
Page 33
List of Figures Figure 82 NETWORK > DMZ ......................180 Figure 83 NETWORK > DMZ > Static DHCP ..................183 Figure 84 NETWORK > DMZ > IP Alias ....................184 Figure 85 DMZ Public Address Example ....................186 Figure 86 DMZ Private and Public Address Example ................187 Figure 87 NETWORK >...
Page 34
List of Figures Figure 125 SECURITY > FIREWALL > Threshold ................242 Figure 126 SECURITY > FIREWALL > Service ................... 244 Figure 127 Firewall Edit Custom Service ..................... 245 Figure 128 My Service Firewall Rule Example: Service ..............246 Figure 129 My Service Firewall Rule Example: Edit Custom Service ..........247 Figure 130 My Service Firewall Rule Example: Rule Summary ............
Page 35
List of Figures Figure 168 Blue Coat: Report Home ....................318 Figure 169 Global Report Screen Example ..................319 Figure 170 Requested URLs Example ....................320 Figure 171 Web Page Review Process Screen ................... 321 Figure 172 VPN: Example ........................323 Figure 173 VPN: IKE SA and IPSec SA ....................
Page 36
List of Figures Figure 211 SECURITY > CERTIFICATES > Directory Server > Add ........... 385 Figure 212 SECURITY > AUTH SERVER > Local User Database ............388 Figure 213 SECURITY > AUTH SERVER > RADIUS ................389 Figure 214 How NAT Works ......................... 395 Figure 215 NAT Application With IP Alias ....................
Page 37
List of Figures Figure 254 How SSH Works ......................... 458 Figure 255 ADVANCED > REMOTE MGMT > SSH ................459 Figure 256 SSH Example 1: Store Host Key ..................460 Figure 257 SSH Example 2: Test ......................460 Figure 258 SSH Example 2: Log in ...................... 461 Figure 259 Secure FTP: Firmware Upload Example ................
Page 39
List of Figures Figure 340 Menu 6: Route Setup ......................591 Figure 341 Menu 6.1: Route Assessment .................... 591 Figure 342 Menu 6.2: Traffic Redirect ....................592 Figure 343 Menu 6.3: Route Failover ....................593 Figure 344 Menu 7.1: Wireless Setup ....................595 Figure 345 Menu 7.1.1: WLAN MAC Address Filter ................
Page 40
List of Figures Figure 383 Menu 21: Filter and Firewall Setup ..................635 Figure 384 Menu 21.2: Firewall Setup ....................636 Figure 385 Outgoing Packet Filtering Process ..................637 Figure 386 Filter Rule Process ......................639 Figure 387 Menu 21: Filter and Firewall Setup ..................640 Figure 388 Menu 21.1: Filter Set Configuration ..................
Page 41
List of Figures Figure 426 Menu 24.7.1 As Seen Using the Console Port ..............679 Figure 427 Example Xmodem Upload ....................679 Figure 428 Menu 24.7.2 As Seen Using the Console Port ..............680 Figure 429 Example Xmodem Upload ....................680 Figure 430 Command Mode in Menu 24 ....................
Page 42
List of Figures Figure 469 Windows XP: Advanced TCP/IP Properties ............... 740 Figure 470 Windows XP: Internet Protocol (TCP/IP) Properties ............741 Figure 471 Macintosh OS 8/9: Apple Menu ..................742 Figure 472 Macintosh OS 8/9: TCP/IP ....................742 Figure 473 Macintosh OS X: Apple Menu .................... 743 Figure 474 Macintosh OS X: Network ....................
Page 43
List of Figures Figure 512 Certificate Import Wizard 1 ....................793 Figure 513 Certificate Import Wizard 2 ....................793 Figure 514 Certificate Import Wizard 3 ....................794 Figure 515 Root Certificate Store ......................794 Figure 516 Certificate General Information after Import ............... 795 Figure 517 ZyWALL Trusted CA Screen ....................
Page 44
List of Figures ZyWALL 5/35/70 Series User’s Guide...
List of Tables List of Tables Table 1 ZyWALL Model Specific Features ..................... 56 Table 2 Front Panel Lights ........................59 Table 3 Title Bar: Web Configurator Icons ..................... 65 Table 4 Web Configurator HOME Screen in Router Mode ..............66 Table 5 Web Configurator HOME Screen in Bridge Mode ..............
Page 46
List of Tables Table 39 Example of Network Properties for LAN Servers with Fixed IP Addresses ......156 Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) ............158 Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) ............161 Table 42 NETWORK >...
Page 50
List of Tables Table 211 Menu 1: General Setup (Router Mode) ................555 Table 212 Menu 1: General Setup (Bridge Mode) ................556 Table 213 Menu 1.1: Configure Dynamic DNS ..................557 Table 214 Menu 1.1.1: DDNS Host Summary ..................558 Table 215 Menu 1.1.1: DDNS Edit Host ....................
H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, anti- spam, IDP (Intrusion Detection and Prevention), anti-virus and certificates.
Chapter 1 Getting to Know Your ZyWALL See the product specifications in the appendix for a complete list of features. Table 1 ZyWALL Model Specific Features MODEL # FEATURE Two WAN Ports 3G Card Supported Load Balancing Changing Port Roles between LAN and DMZ Changing Port Roles between LAN and WLAN Table Key: An O in a mode’s column shows that the device mode has the specified feature.
Chapter 1 Getting to Know Your ZyWALL • Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings.
Chapter 1 Getting to Know Your ZyWALL 1.5.3 3G WAN Application (ZyWALL 5 Only) Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station. At the time of writing, only ZyWALL 5 supports 3G, so all 3G descriptions relate to ZyWALL 5 only.
Chapter 1 Getting to Know Your ZyWALL The following table describes the lights. Table 2 Front Panel Lights COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. The power to the ZyWALL is too low. Green The ZyWALL is not ready or has failed.
Page 60
Chapter 1 Getting to Know Your ZyWALL ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Chapter 2 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 7 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
Chapter 2 Introducing the Web Configurator 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models.
Chapter 2 Introducing the Web Configurator The icons provide the following functions. Table 3 Title Bar: Web Configurator Icons ICON DESCRIPTION Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3 on page 85 for more information. Help: Click this icon to open the help page for the current screen.
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 67
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Interfaces This is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface’s label to display the interface’s MAC Address. Click an interface’s label to go to the screen where you can configure settings for that interface.
Page 68
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Intrusion Detected This displays how many intrusions the ZyWALL has detected since it last started up. N/A displays when there is no Turbo Card installed or the service subscription has expired.
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION 3G Card IMEI This displays the International Mobile Equipment Number (IMEI) which is the serial number of the 3G wireless card. IMEI is a unique 15-digit number used to identify a mobile device.
This is the bootbase version and the date created. Version Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Page 71
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 72
Chapter 2 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port.
Chapter 2 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Status Port Statistics Click Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port. Click VPN to display the active VPN connections.
Chapter 2 Introducing the Web Configurator Table 6 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE UPnP Reports Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 75
Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION Use this screen to configure your DMZ connection. Static DHCP Use this screen to assign fixed IP addresses on the DMZ. IP Alias Use this screen to partition your DMZ interface into subnets. Port Roles Use this screen to change the DMZ/WLAN port roles on the ZyWALL 70 or the LAN/DMZ/WLAN port roles on the ZyWALL 5 or...
Page 76
Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION ANTI-SPAM General Use this screen to turn the anti-spam feature on or off and set how the ZyWALL treats spam. External DB Use this screen to enable or disable the use of the anti-spam external database.
Page 77
Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION System Use this screen to configure the address and name server records. Cache Use this screen to configure the DNS resolution cache. DHCP Use this screen to configure LAN/DMZ/WLAN DNS information. DDNS Use this screen to set up dynamic DNS.
Chapter 2 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK FUNCTION MAINTENANCE General This screen contains administrative. Password Use this screen to change your password. Time and Date Use this screen to change your ZyWALL’s time and date. Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge.
Chapter 2 Introducing the Web Configurator Table 8 HOME > Show Statistics (continued) LABEL DESCRIPTION Status For the WAN interface(s) and the Dial Backup port, this displays the port speed and duplex setting if you’re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
Chapter 2 Introducing the Web Configurator The following table describes the labels in this screen. Table 9 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s).
Chapter 2 Introducing the Web Configurator Table 10 HOME > DHCP Table (continued) LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory.
Chapter 2 Introducing the Web Configurator Table 11 HOME > VPN Status LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Automatic Select a number of seconds or None from the drop-down list box to update all Refresh Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 83
Chapter 2 Introducing the Web Configurator Table 12 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Automatic Refresh Select a number of seconds or None from the drop-down list box to update all Interval screen statistics automatically at the end of every time interval or to not update the screen statistics.
Page 84
Chapter 2 Introducing the Web Configurator ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Chapter 3 Wizard Setup 3.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 3.2.1.1 Ethernet For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets.
Chapter 3 Wizard Setup Table 13 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION My WAN IP Enter your WAN IP address in this field. Address My WAN IP Enter the IP subnet mask in this field. Subnet Mask Gateway IP Enter the gateway IP address in this field. Address First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right.
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 14 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider.
Chapter 3 Wizard Setup Figure 21 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Chapter 3 Wizard Setup Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Enter the connection ID or connection name in this field.
Chapter 3 Wizard Setup Figure 23 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 22 on page 90), the following screen displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, anti- spam, anti-virus and IDP.
Chapter 3 Wizard Setup Figure 24 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 16 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available.
Chapter 3 Wizard Setup Figure 25 Internet Access Wizard: Registration in Progress 3.2.4 Internet Access Wizard: Status This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done. Figure 26 Internet Access Wizard: Status The following screen appears if the registration was not successful.
Chapter 3 Wizard Setup Figure 27 Internet Access Wizard: Registration Failed 3.2.5 Internet Access Wizard: Service Activation If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
Chapter 3 Wizard Setup 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 18 on page 85) to open the VPN configuration wizard.
Chapter 3 Wizard Setup Table 17 VPN Wizard: Gateway Setting LABEL DESCRIPTION Remote Enter the WAN IP address or domain name of the remote IPSec router (secure Gateway gateway) in the field below to identify the remote IPSec router by its IP address or a Address domain name.
Chapter 3 Wizard Setup Table 18 VPN Wizard: Network Setting LABEL DESCRIPTION Name Type up to 32 characters to identify this VPN network policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Network Policy Setting Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.
Chapter 3 Wizard Setup Figure 32 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Chapter 3 Wizard Setup Table 19 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 20 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
Chapter 3 Wizard Setup Figure 34 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 21 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 102
Chapter 3 Wizard Setup Table 21 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A. Subnet Mask When the local network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Chapter 3 Wizard Setup 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 35 VPN Wizard Setup Complete ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Tutorial This chapter describes how to apply security settings to VPN traffic and how to set up a 3G WAN connection. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall, IDP, anti-virus, anti-spam and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
Chapter 4 Tutorial Figure 36 IDP for From VPN Traffic Here is how you would configure this example. 1 Click SECURITY > IDP > General. 2 Select the To LAN column’s first check box (with the interface label) to select all of the To LAN packet directions.
Chapter 4 Tutorial 4.1.2 IDP for To VPN Traffic Example You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL’s VPN tunnels.
Chapter 4 Tutorial Figure 39 IDP Configuration for To VPN Traffic 4.2 Firewall Rule for VPN Example The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets. Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A.
Chapter 4 Tutorial Figure 40 Firewall Rule for VPN 4.2.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
Chapter 4 Tutorial Figure 43 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
Chapter 4 Tutorial Figure 44 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.2.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
Chapter 4 Tutorial 4.2.2.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 45 SECURITY >...
Chapter 4 Tutorial Figure 46 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 5/35/70 Series User’s Guide...
Chapter 4 Tutorial Figure 47 SECURITY > FIREWALL > Rule Summary: Allow 4.2.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
Chapter 4 Tutorial 4.3 How to Set up a 3G WAN Connection This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) for Internet access at the same time.
Chapter 4 Tutorial 4.3.2 Configuring Load Balancing In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) at the same time. You also balance the load between the two WAN interfaces using weighted round-robin method.
Chapter 4 Tutorial 2 In the network status table, make sure the status for WAN 1 and WAN 2 is not Down and there is an IP address. If the WAN 2 connection is not up, make sure you have entered the correct information in the WAN 2 screen and the signal strength to the service provider’s base station is not too low and can connect to a network.
H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
The ID&P and anti-virus features use the same signature files on the ZyWALL to detect and scan for viruses. After the service is activated, the ZyWALL downloads the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com). You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service.
Chapter 5 Registration Figure 52 REGISTRATION The following table describes the labels in this screen. Table 22 REGISTRATION LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Chapter 5 Registration Table 22 REGISTRATION LABEL DESCRIPTION IDP/AV 3-month Trial Select the check box to activate a trial. The trial period starts the day you activate the trial. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Chapter 5 Registration Figure 54 REGISTRATION > Service The following table describes the labels in this screen. Table 23 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 124
Chapter 5 Registration ZyWALL 5/35/70 Series User’s Guide...
H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5 and ZyWALL 35. 6.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached.
Chapter 6 LAN Screens Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Chapter 6 LAN Screens 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Chapter 6 LAN Screens 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Chapter 6 LAN Screens Figure 56 NETWORK > LAN The following table describes the labels in this screen. Table 24 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 132
Chapter 6 LAN Screens Table 24 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Chapter 6 LAN Screens Table 24 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN 2 and LAN and WAN2 from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.
Chapter 6 LAN Screens Figure 57 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 25 NETWORK > LAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN.
Chapter 6 LAN Screens The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Chapter 6 LAN Screens The following table describes the labels in this screen. Table 26 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Chapter 6 LAN Screens The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyWALL 5 or ZyWALL 35, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens.
Page 138
Chapter 6 LAN Screens ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
Chapter 7 Bridge Screens 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Chapter 7 Bridge Screens Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Chapter 7 Bridge Screens Figure 63 NETWORK > Bridge The following table describes the labels in this screen. Table 30 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 7 Bridge Screens Table 30 NETWORK > Bridge (continued) LABEL DESCRIPTION Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port.
Chapter 7 Bridge Screens Figure 64 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 31 NETWORK > Bridge > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. Select a port’s DMZ radio button to use the port as part of the DMZ.
H A P T E R WAN Screens This chapter describes how to configure WAN settings. WAN 2 refers to either the physical WAN 2 port on the ZyWALL with multiple WAN ports or the 3G card on the supported ZyWALL in router mode. 8.1 WAN Overview •...
Chapter 8 WAN Screens The ZyWALL's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to Chapter 21 on page 393 for details. You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 27 on page 471).
Chapter 8 WAN Screens Figure 66 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below.
Chapter 8 WAN Screens This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively.
Chapter 8 WAN Screens 8.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1"...
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 34 NETWORK > WAN (General) LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Page 152
Chapter 8 WAN Screens Table 34 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity interface's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN interface's default gateway IP address.
Chapter 8 WAN Screens Table 34 NETWORK > WAN (General) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.7 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel.
Chapter 8 WAN Screens Table 35 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Interface This field displays the name of the WAN interface (WAN 1 and WAN 2). Available This field is applicable when you select Outbound + Inbound or Inbound Only in Inbound the Load Balancing Index(es) field.
Chapter 8 WAN Screens Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN 1 is the primary WAN and WAN 2 is the secondary WAN. Figure 72 Load Balancing: Spillover The following table describes the related fields in this screen.
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Chapter 8 WAN Screens 8.11 WAN To change your ZyWALL's WAN ISP, IP and MAC settings, click NETWORK > WAN and then the WAN > WAN 1 or WAN 2 (on the ZyWALL 70 or ZyWALL 35). The screen differs by the encapsulation.
Chapter 8 WAN Screens Figure 73 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 159
Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login. Login Server Type the domain name of the Telia login server, for example login1.telia.com.
Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Chapter 8 WAN Screens Figure 74 NETWORK > WAN > WAN (PPPoE Encapsulation) The following table describes the labels in this screen. Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE. Service Name Type the PPPoE service name provided to you by your ISP.
Page 162
Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Chapter 8 WAN Screens Figure 75 NETWORK > WAN > WAN (PPTP Encapsulation) The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Set the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time.
Page 165
Chapter 8 WAN Screens Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Chapter 8 WAN Screens Table 42 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Chapter 8 WAN Screens The 3G downstream data rate can be up to 900 Kbps and upstream data rate can be up to 384 Kbps when you use the Sierra AC850/860 3G card in the ZyWALL. The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, etc.
Chapter 8 WAN Screens The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. Figure 76 NETWORK > WAN > WAN 2 (3G WAN) The following table describes the labels in this screen. Table 44 NETWORK >...
Page 169
Chapter 8 WAN Screens Table 44 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION Retype to Type your password again to make sure that you have entered is correctly. Confirm PIN Code A PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card.
Chapter 8 WAN Screens 8.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. Figure 77 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
Chapter 8 WAN Screens For the ZyWALL 5, if the traffic redirect feature does not work after you configure the ZyWALL’s traffic redirect settings in the Traffic Redirect screen, you may need to turn on the WAN ping check by entering sys rn pingcheck in command interpreter.
Chapter 8 WAN Screens Figure 80 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 46 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 173
Chapter 8 WAN Screens Table 46 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Use the drop-down list box to select an authentication protocol for outgoing calls. Type Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this...
Page 174
Chapter 8 WAN Screens Table 46 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Chapter 8 WAN Screens 8.16 Advanced Modem Setup 8.16.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
Chapter 8 WAN Screens Figure 81 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. Table 47 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call.
Page 177
Chapter 8 WAN Screens Table 47 NETWORK > WAN > Dial Backup > Edit (continued) LABEL DESCRIPTION Retry Interval Type a number of seconds for the ZyWALL to wait before trying another call after a (sec) call has failed. This applies before a phone number is blacklisted. Drop Timeout Type the number of seconds for the ZyWALL to wait before dropping the DTR (sec)
Page 178
Chapter 8 WAN Screens ZyWALL 5/35/70 Series User’s Guide...
H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Chapter 9 DMZ Screens Figure 82 NETWORK > DMZ The following table describes the labels in this screen. Table 48 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 181
Chapter 9 DMZ Screens Table 48 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 9 DMZ Screens Table 48 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the DMZ to WAN 2 and DMZ and WAN 2 from WAN 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ.
Chapter 9 DMZ Screens Figure 83 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 49 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
Chapter 9 DMZ Screens The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Chapter 9 DMZ Screens Table 50 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Chapter 9 DMZ Screens Figure 85 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
Chapter 9 DMZ Screens Figure 86 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL 5 and ZyWALL 35 ports can be part of the LAN, DMZ or WLAN interface.
Chapter 9 DMZ Screens Figure 87 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 51 NETWORK > DMZ > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Do one of the following to add wireless functionality to the ZyWALL. Turn the ZyWALL off before you install or remove the wireless LAN card. See the product specifications appendix for a table of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card.
Chapter 10 Wireless LAN • Insert a compatible wireless LAN card and enable the card in the Wireless Card screen (see Figure 98 on page 205). • Use the Port Roles screen (see Figure 92 on page 197) to set a port to be part of the WLAN and connect an access point (AP) to the WLAN interface to extend the ZyWALL’s wireless LAN coverage.
Page 191
Chapter 10 Wireless LAN Table 52 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.
Chapter 10 Wireless LAN Table 52 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN 1 and WLAN and WAN from WAN 1 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN 1 and from WAN 1 to the WLAN.
Chapter 10 Wireless LAN Figure 89 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 53 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN.
Chapter 10 Wireless LAN The ZyWALL supports three logical WLAN interfaces via its single physical WLAN Ethernet interface. The ZyWALL itself is the gateway for each of the logical WLAN networks. When you use IP alias, you can also configure firewall rules to control access between the WLAN's logical networks (subnets).
Chapter 10 Wireless LAN Table 54 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Chapter 10 Wireless LAN Figure 91 WLAN Port Role Example Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Chapter 10 Wireless LAN Figure 92 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. Table 55 NETWORK > WLAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
Chapter 10 Wireless LAN Figure 94 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator.
Chapter 10 Wireless LAN 10.6.4 Hide ZyWALL Identity If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyWALL may be inconvenience for some valid WLAN clients.
Chapter 10 Wireless LAN 10.9.1 Introduction to RADIUS A RADIUS (Remote Authentication Dial In User Service) server enables user authentication, authorization and accounting. RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server.
Chapter 10 Wireless LAN Your ZyWALL supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database. The following figure shows an overview of authentication when you specify a RADIUS server on your access point. Figure 95 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works.
Chapter 10 Wireless LAN 10.11 Introduction to WPA Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption. 10.11.1 User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database.
Chapter 10 Wireless LAN 10.12 WPA-PSK Application Example A WPA-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).
10.16 Wireless Card Turn the ZyWALL off before you install or remove the wireless LAN card. See the product specifications appendix for a table of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card.
802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN. Wireless Card This field displays whether or not a compatible ZyXEL wireless LAN card is installed. ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a wireless station is associated.
Page 206
Otherwise, select the security you need and see the following sections for more information. Note: The installed ZyXEL WLAN card may not support all of the WLAN security features you can configure in the ZyWALL. Please see the product specifications appendix for a table of compatible ZyXEL WLAN cards and the WLAN security features each card supports.
Chapter 10 Wireless LAN 10.16.1 Static WEP Static WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be used at any one time.
Chapter 10 Wireless LAN 10.16.2 WPA-PSK Click NETWORK > WIRELESS CARD to display the Wireless Card screen. Select WPA- PSK from the Security list. Figure 100 NETWORK > WIRELESS CARD: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box.
Chapter 10 Wireless LAN Table 59 NETWORK > WIRELESS CARD: WPA-PSK (continued) LABEL DESCRIPTION WPA Group Key The WPA Group Key Update Timer is the rate at which the AP (if using WPA- Update Timer PSK key management) or RADIUS server (if using WPA key management) sends (Seconds) a new group key out to all clients.
Chapter 10 Wireless LAN Table 60 NETWORK > WIRELESS CARD: WPA (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless (Seconds) network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Chapter 10 Wireless LAN The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 61 NETWORK > WIRELESS CARD: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select 802.1x + Dynamic WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds)
Chapter 10 Wireless LAN Figure 103 NETWORK > WIRELESS CARD: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box. Table 62 NETWORK > WIRELESS CARD: 802.1x + Static WEP LABEL DESCRIPTION Security...
Chapter 10 Wireless LAN Table 62 NETWORK > WIRELESS CARD: 802.1x + Static WEP (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wireless network (Seconds) after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Chapter 10 Wireless LAN The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 63 NETWORK > WIRELESS CARD: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthenticatio Specify how often wireless stations have to resend user names and passwords in n Timer...
Chapter 10 Wireless LAN Figure 105 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 64 NETWORK > WIRELESS CARD: No Access 802.1x + Static WEP LABEL DESCRIPTION Security...
Chapter 10 Wireless LAN 10.17 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 217
Chapter 10 Wireless LAN Table 65 NETWORK > WIRELESS CARD: MAC Address Filter LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 5/35/70 Series User’s Guide...
Page 218
Chapter 10 Wireless LAN ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.
Chapter 11 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Chapter 11 Firewall To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown. Figure 109 Default Block Traffic From WAN1 to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Chapter 11 Firewall By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: •...
Chapter 11 Firewall For example, by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL’s VPN tunnels.
Chapter 11 Firewall 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface.
Chapter 11 Firewall Figure 113 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 18.16 on page 356 for details).
Chapter 11 Firewall Figure 114 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 115 Block VPN to VPN Traffic by Default Example ZyWALL 5/35/70 Series User’s Guide...
Chapter 11 Firewall 11.4 Security Considerations Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
Chapter 11 Firewall Your firewall would have the following configuration. Table 66 Blocking All LAN to WAN IRC Traffic Example DESTINATIO SOURCE SCHEDULE SERVICE ACTION Drop Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
Chapter 11 Firewall • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN.
Chapter 11 Firewall Figure 118 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 119 SECURITY >...
Chapter 11 Firewall The following table describes the labels in this screen. Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes.
Chapter 11 Firewall Table 68 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Select the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules.
Chapter 11 Firewall The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes.
Chapter 11 Firewall 11.9 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. The ordering of your rules is very important as rules are applied in the order that they are listed.
Chapter 11 Firewall Table 70 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists.
Chapter 11 Firewall The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
Chapter 11 Firewall Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Chapter 11 Firewall The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface.
Chapter 11 Firewall 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
Chapter 11 Firewall The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds.
Chapter 11 Firewall 11.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. Section 11.1 on page 221 for more information about the firewall.
Chapter 11 Firewall Table 74 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. Attribute This is the IP port number or ICMP type and code that defines the service. Modify Click the edit icon to go to the screen where you can edit the service.
Chapter 11 Firewall The following table describes the labels in this screen. Table 75 SECURITY > FIREWALL > Service > Add LABEL DESCRIPTION Service Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the “(“ character.
Chapter 11 Firewall Figure 129 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Chapter 11 Firewall Figure 131 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Chapter 11 Firewall Figure 132 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 5/35/70 Series User’s Guide...
Chapter 12 Intrusion Detection and Prevention (IDP) H A P T E R Intrusion Detection and Prevention (IDP) This chapter introduces some background information on IDP. Skip to the next chapter to see how to configure IDP on your ZyWALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Chapter 12 Intrusion Detection and Prevention (IDP) 12.1.1 Firewalls and Intrusions Firewalls are designed to block clearly suspicious traffic and forward other traffic through. Many exploits take advantage of weaknesses in the protocols that are allowed through the firewall, so that once an inside server has been compromised it can be used as a backdoor to launch attacks on other servers.
Chapter 12 Intrusion Detection and Prevention (IDP) 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
Section 13.2 on page 256 for more information on how to apply IDP to ZyWALL interfaces. IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are vital as new intrusions evolve. ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Configuring IDP This chapter shows you how to configure IDP on the ZyWALL. 13.1 Overview To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details. Turn the ZyWALL off before you install or remove the ZyWALL Turbo card.
Chapter 13 Configuring IDP Figure 135 Applying IDP to Interfaces 13.2 General Setup Use this screen to enable IDP on the ZyWALL and choose what traffic flows the ZyWALL checks for intrusions. Click SECURITY > IDP from the navigation panel. General is the first screen as shown in the following figure.
Chapter 13 Configuring IDP The following table describes the labels in this screen. Table 76 SECURITY > IDP > General Setup LABEL DESCRIPTION General Setup Enable Intrusion Select this check box to enable IDP on the ZyWALL. When this check box is Detection and cleared the ZyWALL is in IDP “bypass”...
Chapter 13 Configuring IDP 13.3 IDP Signatures The rules that define how to identify and respond to intrusions are called “signatures”. Click SECURITY > IDP > Signatures to see the ZyWALL’s signatures. 13.3.1 Attack Types Click SECURITY > IDP > Signature. The Attack Type list box displays all intrusion types supported by the ZyWALL.
Chapter 13 Configuring IDP Table 77 SECURITY > IDP > Signature: Attack Types (continued) TYPE DESCRIPTION Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server.
Chapter 13 Configuring IDP Figure 138 SECURITY > IDP > Signature: Actions The following table describes signature actions. Table 79 SECURITY > IDP > Signature: Actions ACTION DESCRIPTION No Action The intrusion is detected but no action is taken. Drop Packet The packet is silently discarded.
Chapter 13 Configuring IDP The following table describes the labels in this screen. Table 80 SECURITY > IDP > Signature: Group View LABEL DESCRIPTION Signature Groups Switch to Click this hyperlink to go to a screen where you can search for signatures based on query view criteria other than attack type.
Chapter 13 Configuring IDP Table 80 SECURITY > IDP > Signature: Group View (continued) LABEL DESCRIPTION Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 13.3.5 Query View Click IDP >...
Page 263
Chapter 13 Configuring IDP Table 81 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Severity Search for signatures by severity level(s) (see Table 78 on page 259). Type Search for signatures by attack type(s) (see Table 77 on page 258).
Page 264
Chapter 13 Configuring IDP Table 81 SECURITY > IDP > Signature: Query View (continued) LABEL DESCRIPTION Alert You can only edit the Alert check box when the corresponding Log check box is selected. Select this check box to have an e-mail sent when a match is found for a signature.
Chapter 13 Configuring IDP Figure 141 SECURITY > IDP > Signature: Query by Partial Name Figure 142 SECURITY > IDP > Signature: Query by Complete ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes.
Figure 143 Signature Query by Attribute. 13.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Chapter 13 Configuring IDP Click the intrusion ID hyperlink to go directly to information on that signature or enter https:// mysecurity.zyxel.com/mysecurity/ as the URL in your web browser. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone.
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Chapter 13 Configuring IDP 13.5 Backup and Restore You can change the pre-defined settings of individual Active, Log, Alert and/or Action signatures. Figure 145 SECURITY > IDP > Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup and then choose a location and filename for the IDP configuration set.
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 14.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Chapter 14 Anti-Virus 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 14.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based.
Chapter 14 Anti-Virus Figure 146 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
Chapter 14 Anti-Virus The ZyWALL Turbo Card does not have a MAC address. The following lists important notes about the anti-virus scanner: 1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses. 2 When a virus is detected, an alert message is displayed in Microsoft Windows computers.
Chapter 14 Anti-Virus Figure 147 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. Table 84 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti-Virus Select this check box to check traffic for viruses. The anti-virus scanner works on the following.
Chapter 14 Anti-Virus Table 84 SECURITY > ANTI-VIRUS > General (continued) LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Chapter 14 Anti-Virus Figure 148 SECURITY > ANTI-VIRUS > Signature: Query View The following table describes the labels in this screen. Table 85 SECURITY > ANTI-VIRUS > Signature: Query View LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Signature Search Select this radio button if you would like to search the signatures by name or ID.
Figure 150 Query Example Search Results 14.5 Signature Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Chapter 14 Anti-Virus 14.5.1 mySecurityZone mySecurityZone is a web portal that provides all security-related information such as intrusion and anti-virus information for ZyXEL security products. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone.
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Chapter 14 Anti-Virus 14.6 Backup and Restore Click ANTI-VIRUS > Backup & Restore. The screen displays as shown next. You can change the pre-defined Active, Log, Alert, Send Windows Message and/or Destroy File settings of individual signatures. Figure 152 SECURITY > ANTI-VIRUS > Backup and Restore Use the Backup &...
H A P T E R Anti-Spam This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-Spam Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam. The ZyWALL can use an anti-spam external database to help identify spam.
Page 284
Chapter 15 Anti-Spam 15.1.1.1 SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs.
Chapter 15 Anti-Spam Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks. The SpamTricks engine also checks for “phishing” (see Section 15.1.3 on page 285 for more on phishing). 15.1.2 Spam Threshold You can configure the threshold for what spam score is classified as spam.
Chapter 15 Anti-Spam 15.1.4 Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate (see Section 15.1.7 on page 286 for more on MIME headers).
Chapter 15 Anti-Spam In an MIME header, the part that comes before the colon (:) is the header. The part that comes after the colon is the value. Spam often has blank header values or comments in them that are part of an attempt to bypass spam filters.
Page 288
Chapter 15 Anti-Spam Table 87 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column.
Chapter 15 Anti-Spam Table 87 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION Forward SMTP & POP3 Select this radio button to have the ZyWALL forward spam e-mail with the mail with tag in mail tag that you define. subject Even if you plan to use the discard option, you may want to use this initially as a test to check how accurate your anti-spam settings are.
Chapter 15 Anti-Spam Figure 155 SECURITY > ANTI-SPAM > External DB The following table describes the labels in this screen. Table 88 SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Enable the anti-spam external database feature to have the ZyWALL Database calculate a digest of an e-mail and send it to an anti-spam external database.
Chapter 15 Anti-Spam Table 88 SECURITY > ANTI-SPAM > External DB (continued) LABEL DESCRIPTION Action for No Spam Use this field to configure what the ZyWALL does if it does not receive a valid Score response from the anti-spam external database. If the ZyWALL does not receive a response within seven seconds, it sends the e-mail digest a second time.
Chapter 15 Anti-Spam Figure 156 SECURITY > ANTI-SPAM > Lists The following table describes the labels in this screen. Table 89 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist This bar displays the percentage of the ZyWALL’s anti-spam whitelist and Storage Space in blacklist storage space that is currently in use.
Chapter 15 Anti-Spam Table 89 SECURITY > ANTI-SPAM > Lists (continued) LABEL DESCRIPTION Use Blacklist Select this check box to have the ZyWALL treat e-mail that matches a blacklist entry as spam. Active This field shows whether or not an entry is turned on. Type This field displays whether the entry is based on the e-mail’s source IP address, source e-mail address, an MIME header or the e-mail’s subject.
Chapter 15 Anti-Spam The following table describes the labels in this screen. Table 90 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
Page 295
Chapter 15 Anti-Spam Table 90 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Header This field displays when you select the MIME Header type. Type the header part of an MIME header (up to 63 ASCII characters). In an MIME header, the header is the part that comes before the colon (:). For example, if you want the whitelist or blacklist entry to check for the MIME header “X-MSMail-Priority: Normal”, enter “X-MSMail-Priority”...
Page 296
Chapter 15 Anti-Spam ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 16.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following: 16.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
Chapter 16 Content Filtering Screens Figure 158 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Page 299
Chapter 16 Content Filtering Screens Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Block ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
Chapter 16 Content Filtering Screens Table 91 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 301
Chapter 16 Content Filtering Screens Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it. Use the REGISTRATION screens (see Chapter 5 on page 119) to create a myZyXEL.com account,...
Chapter 16 Content Filtering Screens Figure 160 SECURITY > CONTENT FILTER > Categories The following table describes the labels in this screen. Table 92 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 303
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 304
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Nudity Selecting this category excludes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 305
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Business/Economy Selecting this category excludes pages devoted to business firms, business information, economics, marketing, business management and entrepreneurship. This does not include pages that perform services that are defined in another category (such as Information Technology companies, or companies that sell travel services).
Page 306
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Health Selecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support organizations dedicated to a disease or condition.
Page 307
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Email Selecting this category excludes pages offering web-based email services, such as online email reading, e-cards, and mailing list services. Blogs/Newsgroups Selecting this category excludes pages that offer access to Usenet news groups or other messaging or bulletin board systems.
Page 308
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Chapter 16 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Content Filter Service This read-only field displays the status of your category-based content Status filtering (using an external database) service subscription. License Inactive displays if you have not registered and activated the category-based content filtering service.
Chapter 16 Content Filtering Screens Figure 161 SECURITY > CONTENT FILTER > Customization The following table describes the labels in this screen. Table 93 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden customization web sites.
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
16.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the...
Chapter 16 Content Filtering Screens Figure 162 SECURITY > CONTENT FILTER > Cache The following table describes the labels in this screen. Table 94 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 119 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Figure 163 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see...
Chapter 17 Content Filtering Reports Figure 165 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 165 on page 317).
Chapter 17 Content Filtering Reports Figure 167 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 168 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 17 Content Filtering Reports Figure 169 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 5/35/70 Series User’s Guide...
Chapter 17 Content Filtering Reports Figure 170 Requested URLs Example 17.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Chapter 17 Content Filtering Reports Figure 171 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 5/35/70 Series User’s Guide...
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.
Chapter 18 IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Chapter 18 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
Chapter 18 IPSec VPN Figure 176 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 95 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Chapter 18 IPSec VPN Table 95 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Click this icon to display a screen in which you can associate a network policy to a gateway policy. Click this icon to display a screen in which you can change the settings of a gateway or network policy.
Chapter 18 IPSec VPN See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 18.3.1.1 on page 328 for more information about DH key groups. 18.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
Chapter 18 IPSec VPN Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.
Page 330
Chapter 18 IPSec VPN • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content.
Chapter 18 IPSec VPN Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters).
Chapter 18 IPSec VPN Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic.
Chapter 18 IPSec VPN • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) •...
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 336
Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote Primary Remote gateway if the connection becomes available again. Gateway when possible Fall Back Check...
Page 337
Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 338
Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 20 on page...
Chapter 18 IPSec VPN Table 98 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Associated The following table shows the policy(ies) you configure for this rule. Network Policies To add a VPN policy, click the add network policy ( ) icon in the VPN Rules (IKE) screen (see Figure 176 on page...
Chapter 18 IPSec VPN Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 18.6.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Chapter 18 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 344
Chapter 18 IPSec VPN Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Chapter 18 IPSec VPN Table 99 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
Chapter 18 IPSec VPN Figure 185 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy The following table describes the labels in this screen. Table 100 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy.
Chapter 18 IPSec VPN 18.9.1 IPSec SA Proposal Using Manual Keys In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use.
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 101 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not.
Chapter 18 IPSec VPN Figure 187 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen. Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy.
Page 350
Chapter 18 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Address Type Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses.
Chapter 18 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Encapsulation Select Tunnel mode or Transport mode from the drop-down list box. Mode Active Protocol Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH.
Chapter 18 IPSec VPN Figure 188 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 103 SECURITY > VPN > SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Chapter 18 IPSec VPN The following table describes the labels in this screen. Table 104 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
Chapter 18 IPSec VPN 18.14 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address. 18.14.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a...
Chapter 18 IPSec VPN With aggressive negotiation mode (see Section 18.3.1.4 on page 330), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters.
Chapter 18 IPSec VPN Table 106 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Remote Gateway Address: telecommuterb.dydns.org Remote Address 192.168.3.2 Telecommuter C (telecommuterc.dydns.org) Headquarters ZyWALL Rule 3: Local ID Type: E-mail...
Chapter 18 IPSec VPN Figure 193 on page 357 shows some example network topologies. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and- spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A).
Chapter 18 IPSec VPN Figure 194 Hub-and-spoke VPN Example 18.16.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 •...
Page 359
Chapter 18 IPSec VPN The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 19.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Chapter 19 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Chapter 19 Certificates Figure 196 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
Page 365
Chapter 19 Certificates Table 107 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
Chapter 19 Certificates 19.6 My Certificate Details Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 198 on page 364). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Chapter 19 Certificates The following table describes the labels in this screen. Table 108 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Chapter 19 Certificates Table 108 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) Name or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Chapter 19 Certificates Figure 200 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 109 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in Binary X.509 is an ITU-T recommendation that defines the formats for X.509 binary X.509 format.
Chapter 19 Certificates You must remove any spaces from the certificate’s filename before you can import it. 19.8.1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
Chapter 19 Certificates Figure 201 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 110 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Chapter 19 Certificates 19.9 My Certificate Create Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 203 SECURITY >...
Page 373
Chapter 19 Certificates Table 112 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Chapter 19 Certificates Table 112 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Type the key that the certification authority gave you. Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request.
Chapter 19 Certificates The following table describes the labels in this screen. Table 113 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Chapter 19 Certificates Figure 205 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 377
Chapter 19 Certificates Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Chapter 19 Certificates Table 114 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Chapter 19 Certificates Figure 206 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 115 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Chapter 19 Certificates Figure 207 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 116 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Chapter 19 Certificates 19.14 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen.
Chapter 19 Certificates 19.15 Trusted Remote Host Certificate Details Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Chapter 19 Certificates The following table describes the labels in this screen. Table 118 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Chapter 19 Certificates Table 118 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates.
Chapter 19 Certificates The following table describes the labels in this screen. Table 119 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Chapter 19 Certificates The following table describes the labels in this screen. Table 120 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 20.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Chapter 20 Authentication Server The following table describes the labels in this screen. Table 121 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 390
Chapter 20 Authentication Server Table 122 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 21.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Chapter 21 Network Address Translation (NAT) NAT never changes the IP address (either local or global) of an outside host. 21.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Chapter 21 Network Address Translation (NAT) Figure 214 How NAT Works 21.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks.
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Chapter 21 Network Address Translation (NAT) • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Chapter 21 Network Address Translation (NAT) Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ.
Chapter 21 Network Address Translation (NAT) Table 125 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION Max. Use this field to set the highest number of NAT sessions that the ZyWALL will permit Concurrent a host to have at one time. Sessions Per Host WAN Operation...
Chapter 21 Network Address Translation (NAT) 21.4.1 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature. 3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Chapter 21 Network Address Translation (NAT) You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.
Chapter 21 Network Address Translation (NAT) 21.5.3 Configuring Servers Behind Port Forwarding (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Chapter 21 Network Address Translation (NAT) Figure 221 Port Translation Example 21.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Chapter 21 Network Address Translation (NAT) Figure 222 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 129 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Chapter 21 Network Address Translation (NAT) Table 129 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Chapter 21 Network Address Translation (NAT) 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Click ADVANCED >...
Page 409
Chapter 21 Network Address Translation (NAT) Table 130 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION End Port Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 22.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
Chapter 22 Static Route Figure 226 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 131 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
Chapter 22 Static Route Table 131 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL’s interface. The gateway helps forward packets to their destinations.
Page 414
Chapter 22 Static Route Table 132 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts.
H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. 23.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 23 Policy Route IPPR follows the existing packet filtering facility of RAS in style and in implementation. 23.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown). Figure 228 ADVANCED >...
Chapter 23 Policy Route The following table describes the labels in this screen. Table 133 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source This is the source IP address range and/or port number range.
Chapter 23 Policy Route Figure 229 Edit IP Policy Route The following table describes the labels in this screen. Table 134 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 419
Chapter 23 Policy Route Table 134 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom.
Page 420
Chapter 23 Policy Route Table 134 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination.
H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 24.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Chapter 24 Bandwidth Management 24.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 24.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Chapter 24 Bandwidth Management Table 135 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps 24.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
Chapter 24 Bandwidth Management 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 24.8 on page 425). 24.7.5 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
Chapter 24 Bandwidth Management 24.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 138 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps...
Chapter 24 Bandwidth Management Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL. Table 139 Bandwidth Borrowing Example BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS Root Class: Administration: Borrowing Enabled Sales: Borrowing Disabled Sales USA: Borrowing Bill: Borrowing Enabled...
Chapter 24 Bandwidth Management 4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the classes. 24.10 Over Allotment of Bandwidth It is possible to set the bandwidth management speed for an interface higher than the interface’s actual transmission speed.
Chapter 24 Bandwidth Management Figure 231 ADVANCED > BW MGMT > Summary The following table describes the labels in this screen. Table 141 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Chapter 24 Bandwidth Management Table 141 ADVANCED > BW MGMT > Summary (continued) LABEL DESCRIPTION Maximize Select this check box to have the ZyWALL divide up all of the interface’s unallocated Bandwidth and/or unused bandwidth among the bandwidth classes that require bandwidth. Do Usage not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class (see...
Chapter 24 Bandwidth Management The following table describes the labels in this screen. Table 142 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming. So, in order to limit the download bandwidth of the LAN users, set the bandwidth management class on the LAN.
Chapter 24 Bandwidth Management Figure 233 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 432
Chapter 24 Bandwidth Management Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Chapter 24 Bandwidth Management Table 143 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source Address Type Do you want your rule to apply to packets coming from a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet? Select Single Address, Range Address or Subnet Address.
Chapter 24 Bandwidth Management Figure 234 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. Table 145 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Chapter 24 Bandwidth Management Figure 235 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Table 146 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
H A P T E R This chapter shows you how to configure the DNS screens. 25.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Chapter 25 DNS Figure 236 Private DNS Server Example If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 25.6 System Screen Click ADVANCED >...
(FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
This is the index number of the name server record. Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. From This field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user.
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. IP Address If this entry is for one of the WAN ports on a ZyWALL with multiple WAN ports, select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box.
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Leave this field blank if all domain zones are served by the specified DNS server(s).
Chapter 25 DNS Figure 240 ADVANCED > DNS > Cache The following table describes the labels in this screen. Table 150 ADVANCED > DNS > Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the...
Chapter 25 DNS Table 150 ADVANCED > DNS > Cache LABEL DESCRIPTION IP Address This is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries. Remaining Time This is the number of seconds left before the DNS resolution entry is discarded (sec) from the cache.
Chapter 25 DNS Table 151 ADVANCED > DNS > DHCP LABEL DESCRIPTION Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server.
Chapter 25 DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. 25.10.2 High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.
Page 448
Chapter 25 DNS Table 152 ADVANCED > DNS > DDNS LABEL DESCRIPTION Username Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore).
H A P T E R Remote Management This chapter provides information on the Remote Management screens. 26.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Chapter 26 Remote Management 3 Telnet 4 HTTPS and HTTP Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. 26.1.1 Remote Management Limitations Remote management does not work when: 1 You have not enabled that service on the interface in the corresponding remote management screen.
Chapter 26 Remote Management 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server).
Chapter 26 Remote Management Figure 245 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 153 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Chapter 26 Remote Management Table 153 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service.
Chapter 26 Remote Management If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. Figure 247 Security Certificate 1 (Netscape) Figure 248 Security Certificate 2 (Netscape) 26.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the...
Chapter 26 Remote Management • To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix K on page 791 for details. • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received.
Chapter 26 Remote Management The factory default certificate is a common default certificate for all ZyWALL models. Figure 250 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen.
Chapter 26 Remote Management Figure 252 Common ZyWALL Certificate 26.5 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come.
Chapter 26 Remote Management Figure 254 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Chapter 26 Remote Management 26.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 255 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen.
Chapter 26 Remote Management 26.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 26.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
Chapter 26 Remote Management 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Chapter 26 Remote Management Figure 259 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Chapter 26 Remote Management The following table describes the labels in this screen. Table 155 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 26 Remote Management The following table describes the labels in this screen. Table 156 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 26 Remote Management Figure 262 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Chapter 26 Remote Management The following table describes the labels in this screen. Table 158 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Chapter 26 Remote Management Figure 265 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 160 ADVANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
Page 470
LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 27.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 27.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
Chapter 27 UPnP Table 161 ADVANCED > UPnP LABEL DESCRIPTION Allow UPnP to pass Select this check box to allow traffic from UPnP-enabled applications to through Firewall bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
Chapter 27 UPnP Table 162 ADVANCED > UPnP > Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Chapter 27 UPnP 27.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Chapter 27 UPnP 27.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
27.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 479
3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 5/35/70 Series User’s Guide...
Page 480
Chapter 27 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 5/35/70 Series User’s Guide...
H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 28.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
Chapter 28 ALG Screen 28.1.3 ALG and Multiple WAN When the ZyWALL has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyWALL does not automatically change the connection to the secondary WAN interfaces.
Chapter 28 ALG Screen • You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and Figure 268 H.323 ALG Example •...
Chapter 28 ALG Screen Figure 270 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
Chapter 28 ALG Screen Figure 271 SIP ALG Example 28.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
Chapter 28 ALG Screen Figure 272 ADVANCED > ALG The following table describes the labels in this screen. Table 163 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
H A P T E R Reports This chapter contains information about the ZyWALL’s system and threat reports. 29.1 Configuring Reports The System Reports screens display statistics about the network usage of the LAN, DMZ or WLAN computers. The Threat Reports screens display IDP, anti-virus and anti-spam statistics.
Chapter 29 Reports Figure 273 REPORTS > SYSTEM REPORTS Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 164 REPORTS > SYSTEM REPORTS LABEL DESCRIPTION Collect Select the check box and click Apply to have the ZyWALL record report data.
Chapter 29 Reports All of the recorded reports data is erased when you turn off the ZyWALL. 29.2.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Chapter 29 Reports 29.2.2 Viewing Host IP Address In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Chapter 29 Reports 29.2.3 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. Figure 276 REPORTS >...
Chapter 29 Reports 29.2.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 168 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Chapter 29 Reports The following table describes the labels in this screen. Table 169 REPORTS > THREAT REPORTS > IDP LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect IDP statistics. Statistics The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Chapter 29 Reports The following table describes the labels in this screen. Table 170 REPORTS > THREAT REPORTS > Anti-Virus LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect anti-virus statistics. Statistics The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here.
Chapter 29 Reports Figure 282 REPORTS > THREAT REPORTS > Anti-Virus > Destination 29.5 Anti-Spam Threat Reports Screen Click REPORTS > THREAT REPORTS > Anti-Spam to display the Threat Reports Anti-Spam screen. This screen displays anti-spam statistics. Figure 283 REPORTS > THREAT REPORTS > Anti-Spam The following table describes the labels in this screen.
Page 499
Chapter 29 Reports Table 171 REPORTS > THREAT REPORTS > Anti-Spam (continued) LABEL DESCRIPTION Phishing Mail This field displays the number of e-mails that the ZyWALL has classified as phishing. Detected No Score Mail This field displays the number of e-mails for which the ZyWALL did not receive a Detected spam score.
H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 30.3.1 on page 507 for example log message explanations. 30.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Chapter 30 Logs Screens The following table describes the labels in this screen. Table 172 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 30.3 on page 504) display in the drop-down list box. Select a category of logs to view;...
Chapter 30 Logs Screens Table 173 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Chapter 30 Logs Screens Figure 288 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Chapter 30 Logs Screens The following table describes the labels in this screen. Table 174 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Chapter 30 Logs Screens Table 174 LOGS > Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes...
Page 508
Chapter 30 Logs Screens Table 175 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router got the time and date from the NTP server. Time initialized by NTP server The router was not able to connect to the Daytime server. Connect to Daytime server fail The router was not able to connect to the Time server.
Chapter 30 Logs Screens Table 176 System Error Logs LOG MESSAGE DESCRIPTION This attempt to create a NAT session exceeds the maximum %s exceeds the max. number of NAT session table entries allowed to be created per number of session per host.
Chapter 30 Logs Screens Table 178 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.) sent TCP RST The router sent a TCP reset packet when the number of TCP Exceed TCP MAX...
Chapter 30 Logs Screens Table 180 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry. blocked: ICMP The firewall does not support this kind of ICMP packets Unsupported/out-of-order ICMP: or the ICMP packets are out of order.
Chapter 30 Logs Screens Table 184 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined %s: Keyword blocking keyword. The web site is not in a trusted domain, and the router blocks all traffic %s: Not in trusted web except trusted domain sites.
Page 513
Chapter 30 Logs Screens Table 185 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an ICMP IP spoofing attack on the WAN ip spoofing - WAN ICMP port.
Chapter 30 Logs Screens Table 186 Remote Management Logs LOG MESSAGE DESCRIPTION Attempted use of FTP service was blocked according to Remote Management: FTP denied remote management settings. Attempted use of TELNET service was blocked Remote Management: TELNET denied according to remote management settings. Attempted use of HTTP or UPnP service was blocked Remote Management: HTTP or UPnP according to remote management settings.
Chapter 30 Logs Screens Table 188 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time inbound traffic for a certain time period. You can use the "ipsec timer out, disconnect chk_conn"...
Page 516
Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The displayed ID information did not match between the two vs. My Remote <My remote> - ends of the connection. <My remote> The displayed ID information did not match between the two vs.
Page 517
Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 1 encryption algorithm did not Rule [%d] Phase 1 encryption match between the router and the peer. algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not Rule [%d] Phase 1 match between the router and the peer.
Chapter 30 Logs Screens Table 189 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 key lengths (with the AES Rule [%d] Phase 2 key length encryption algorithm) did not match between the router and mismatch the peer. The IP address for the domain name of the peer gateway in Remote Gateway Addr in rule the listed rule changed to the listed IP address.
Chapter 30 Logs Screens Table 190 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received a corrupted ARL (Authority Revocation List) from Failed to decode the the LDAP server whose address and port are recorded in the Source received ARL field.
Chapter 30 Logs Screens Table 191 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 192 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database. Local User Database accepts user.
Chapter 30 Logs Screens Table 193 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN. (D to L) DMZ to LAN ACL set for packets traveling from the DMZ to the LAN.
Chapter 30 Logs Screens Table 194 ICMP Notes (continued) TYPE CODE DESCRIPTION Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded...
Chapter 30 Logs Screens Table 195 IDP Logs (continued) LOG MESSAGE DESCRIPTION The device attempted to check for the latest available signature version. Check signature %s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware.
Chapter 30 Logs Screens Table 196 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not installed. The turbo card is not ready , please insert the card and reboot! The device is updating the signature file. The system is doing signature update now , please wait! Table 197 AS Logs...
Page 525
Chapter 30 Logs Screens Table 197 AS Logs (continued) LOG MESSAGE DESCRIPTION The spam score (listed) for the e-mail with the listed source and "This is a phishing mail subject was higher than the spam score threshold. The anti-spam - Spam Score:%d Mail external database identified the e-mail as a phishing mail.
Chapter 30 Logs Screens 30.4 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
Chapter 30 Logs Screens Table 198 Syslog Logs (continued) LOG MESSAGE DESCRIPTION This message is sent by the device ("RAS" displays as the Event Log: <Facility*8 + system name if you haven’t configured one) at the time Severity>Mon dd hr:mm:ss when this syslog is generated.
H A P T E R Maintenance This chapter displays information on the maintenance screens. 31.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 31.2 General Setup and System Name General Setup contains administrative and system-related information.
Chapter 31 Maintenance Figure 290 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 200 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Chapter 31 Maintenance Figure 291 MAINTENANCE > Password The following table describes the labels in this screen. Table 201 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Chapter 31 Maintenance Figure 292 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 202 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 533
Chapter 31 Maintenance Table 202 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Chapter 31 Maintenance 31.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
Chapter 31 Maintenance Figure 294 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 295 Synchronization Fail 31.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards.
Chapter 31 Maintenance For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Chapter 31 Maintenance You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. The following applies when the ZyWALL is in router mode. Figure 296 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen.
Chapter 31 Maintenance 31.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall).
Click Reset to begin configuring this screen afresh. 31.10 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Chapter 31 Maintenance Figure 298 MAINTENANCE > Firmware Upload The following table describes the labels in this screen. Table 206 MAINTENANCE > Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Chapter 31 Maintenance Figure 300 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Chapter 31 Maintenance Figure 302 MAINTENANCE > Backup and Restore 31.11.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Chapter 31 Maintenance After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 303 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 31 Maintenance Figure 306 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 63 for more information on the RESET button. 31.12 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 32.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
This guide uses the ZyWALL 70 menus as an example. The menus may vary slightly for different ZyWALL models. Not all fields or menus are available on all models. Figure 310 Main Menu (Router Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1.
Chapter 32 Introducing the SMT Figure 311 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
Chapter 32 Introducing the SMT Table 209 Main Menu Summary MENU TITLE FUNCTION IP Routing Policy Setup Configure and display policies for use in IP policy routing. Schedule Setup Use this menu to schedule outgoing calls. Exit Use this menu to exit (necessary for remote configuration). 32.3.2 SMT Menus Overview The following table gives you an overview of your ZyWALL’s various SMT menus.
Chapter 32 Introducing the SMT Figure 312 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER].
Page 554
Chapter 32 Introducing the SMT ZyWALL 5/35/70 Series User’s Guide...
H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 33.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Chapter 33 SMT Menu 1 - General Setup Table 211 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
Chapter 33 SMT Menu 1 - General Setup 33.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field.
Chapter 33 SMT Menu 1 - General Setup Figure 316 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Chapter 33 SMT Menu 1 - General Setup Figure 317 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A...
Page 560
Chapter 33 SMT Menu 1 - General Setup Table 215 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 34.1 Introduction to WAN, 3G WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus.
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 216 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Chapter 34 WAN and Dial Backup Setup Figure 319 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200...
Chapter 34 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Chapter 34 WAN and Dial Backup Setup Table 219 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 220 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight Name characters.
Chapter 34 WAN and Dial Backup Setup 34.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Not all fields are available on all models.
Chapter 34 WAN and Dial Backup Setup Table 221 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation network) to a different IP address known within another network (for example a public IP address used on the Internet).
Chapter 34 WAN and Dial Backup Setup To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know exactly whether it is upper or lower case.
Chapter 34 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 222 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Chapter 34 WAN and Dial Backup Setup 34.4.1 3G Modem Setup From the main menu, enter 2 to open menu 2 on the ZyWALL that supports a 3G card. Figure 325 3G Modem Setup in WAN Setup (ZyWALL 5) Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A...
Chapter 34 WAN and Dial Backup Setup Figure 326 Menu 11.2: Remote Node Profile (3G WAN) Menu 11.2 - Remote Node Profile (3G WAN) Rem Node Name= WAN 2 Active= Yes Edit IP= No Outgoing: Edit Script Options= No My Login= test My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP...
Page 573
Chapter 34 WAN and Dial Backup Setup Table 224 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Always On Press [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic. Select No to have this connection act as a dial-up connection.
Page 574
Chapter 34 WAN and Dial Backup Setup ZyWALL 5/35/70 Series User’s Guide...
H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Chapter 35 LAN Setup Figure 328 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Chapter 35 LAN Setup Figure 330 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1...
Chapter 35 LAN Setup Table 225 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Chapter 35 LAN Setup 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 580
Chapter 35 LAN Setup ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Chapter 36 Internet Access Figure 332 Menu 4: Internet Access Setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Chapter 36 Internet Access Table 228 Menu 4: Internet Access Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Enter the gateway IP address associated with your static IP. Address Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation...
Chapter 36 Internet Access Figure 333 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Chapter 36 Internet Access Figure 334 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 586
Chapter 36 Internet Access ZyWALL 5/35/70 Series User’s Guide...
H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 335 Menu 5: DMZ Setup Menu 5 - DMZ Setup...
Chapter 37 DMZ Setup 37.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 127. 37.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 337 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1.
Chapter 37 DMZ Setup DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 42 on page 615) in menus 15.1 and 15.2. 37.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 340 Menu 6: Route Setup Menu 6 - Route Setup 1.
Chapter 38 Route Setup The following table describes the fields in this menu. Table 231 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility. If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) in the Check Point field, the ZyWALL will use...
Chapter 38 Route Setup 38.4 Route Failover This menu allows you to configure how the ZyWALL uses the route assessment ping check function. Figure 343 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
To edit the wireless LAN configuration, enter 1 to open Menu 7.1 - Wireless Setup as shown next. Figure 344 Menu 7.1: Wireless Setup Menu 7.1 - Wireless Setup Enable Wireless LAN= No Bridge Channel= WLAN ESSID= ZyXEL Hide ESSID= No Channel ID= CH06 2437MHz RTS Threshold= 2432 Frag. Threshold= 2432 WEP= Disable...
Chapter 39 Wireless Setup The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 234 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable...
Chapter 39 Wireless Setup Table 234 Menu 7.1: Wireless Setup FIELD DESCRIPTION Key 1 to Key The WEP keys are used to encrypt data. Both the ZyWALL and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
Chapter 39 Wireless Setup The following table describes the fields in this menu. Table 235 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering, press [SPACE BAR] to select Yes and press [ENTER]. Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table.
Chapter 39 Wireless Setup Figure 348 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Chapter 40 Remote Node Setup 40.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. Not all fields are available on all models. 40.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation.
Chapter 40 Remote Node Setup Table 236 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it correctly.
Chapter 40 Remote Node Setup 40.3.2.3 Metric Section 8.5 on page 149 for details on the Metric field. Table 237 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
Chapter 40 Remote Node Setup Figure 353 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
Chapter 40 Remote Node Setup Table 239 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for...
H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 41.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Chapter 41 IP Static Route Setup Figure 356 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 16. ________ 31. ________ 46. ________ 2. Reserved 17. ________ 32. ________ 47. ________ 3. ________ 18. ________ 33.
Page 613
Chapter 41 IP Static Route Setup Table 240 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is Address always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
Page 614
Chapter 41 IP Static Route Setup ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 42.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 42.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Chapter 42 Network Address Translation (NAT) Figure 358 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Chapter 42 Network Address Translation (NAT) The following table describes the fields in this menu. Table 241 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Address (menu 15.1 - see...
Chapter 42 Network Address Translation (NAT) Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 42.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 361 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1.
Chapter 42 Network Address Translation (NAT) Menu 15.1.255 is read-only. Table 242 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Chapter 42 Network Address Translation (NAT) Figure 363 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server...
Chapter 42 Network Address Translation (NAT) Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 243 Fields in Menu 15.1.1 FIELD DESCRIPTION...
Chapter 42 Network Address Translation (NAT) Figure 364 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 42 Network Address Translation (NAT) 42.3 Configuring a Server behind NAT If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
Chapter 42 Network Address Translation (NAT) 4 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NAT Server Configuration (see the next figure). Figure 367 15.2.x.x: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1...
Chapter 42 Network Address Translation (NAT) Figure 370 NAT Example 1 Figure 371 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)=...
Chapter 42 Network Address Translation (NAT) 42.4.2 Example 2: Internet Access with a Default Server Figure 372 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
Chapter 42 Network Address Translation (NAT) 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN.
Chapter 42 Network Address Translation (NAT) Figure 377 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
Chapter 42 Network Address Translation (NAT) 42.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Chapter 42 Network Address Translation (NAT) Figure 381 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12...
Chapter 42 Network Address Translation (NAT) Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN interface.
Page 634
Chapter 42 Network Address Translation (NAT) Table 246 Menu 15.3.1: Trigger Port Setup (continued) FIELD DESCRIPTION End Port Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.
H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 43.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Chapter 43 Introducing the ZyWALL Firewall Figure 384 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.
H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Chapter 44 Filter Configuration 44.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Chapter 44 Filter Configuration Figure 386 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Chapter 44 Filter Configuration 44.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 387 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Chapter 44 Filter Configuration Table 247 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
Chapter 44 Filter Configuration 44.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.
Page 643
Chapter 44 Filter Configuration Table 249 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater.
Chapter 44 Filter Configuration Figure 390 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. ZyWALL 5/35/70 Series User’s Guide...
Chapter 44 Filter Configuration For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Chapter 44 Filter Configuration Table 250 Generic Filter Rule Menu Fields FIELD DESCRIPTION Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Chapter 44 Filter Configuration Figure 393 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Chapter 44 Filter Configuration After you’ve created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile. 3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. 4 This brings you to menu 11.1.4.
Chapter 44 Filter Configuration 44.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Chapter 44 Filter Configuration If you do not activate the firewall, it is advisable to apply filters. 44.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Chapter 44 Filter Configuration 44.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas.
H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 45.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
A trap is sent to the manager when receiving any RFC-1215) SNMP get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Chapter 46 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 401 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 08:17:55...
Chapter 46 System Information & Diagnosis Table 253 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION RxPkts This is the number of received packets on this port. Cols This is the number of collisions on this port. Tx B/s This field shows the transmission speed in Bytes per second on this port. Rx B/s This field shows the reception speed in Bytes per second on this port.
Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Country Code Refers to the country code of the firmware. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
Chapter 46 System Information & Diagnosis Figure 404 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 46.4 Log and Trace There are two logging facilities in the ZyWALL.
Page 662
IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL:...
Chapter 46 System Information & Diagnosis Figure 408 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00 Fragment Offset...
Chapter 46 System Information & Diagnosis Figure 409 Menu 24.4: System Maintenance: Diagnostic (ZyWALL 5) Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/3G Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A...
Chapter 46 System Information & Diagnosis Table 256 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Chapter 47 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Chapter 47 Firmware and Configuration File Maintenance 47.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 258 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server. Login Type Anonymous.
Chapter 47 Firmware and Configuration File Maintenance 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.
Chapter 47 Firmware and Configuration File Maintenance Figure 413 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 414 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time.
Chapter 47 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL.
Chapter 47 Firmware and Configuration File Maintenance 47.4.2 Restore Using FTP Session Example Figure 418 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Chapter 47 Firmware and Configuration File Maintenance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 422 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
Chapter 47 Firmware and Configuration File Maintenance Figure 423 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Chapter 47 Firmware and Configuration File Maintenance 47.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
Chapter 47 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
Chapter 47 Firmware and Configuration File Maintenance Figure 426 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Chapter 47 Firmware and Configuration File Maintenance Figure 428 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 431 Valid Commands Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ras> ? Valid commands are:...
Chapter 48 System Maintenance Menus 8 to 10 Table 260 Valid Commands COMMAND DESCRIPTION These commands configure bandwidth management settings and display bandwidth management information. These commands configure intrusion detection and prevention settings. These commands configure anti-virus settings. These commands configure anti-spam settings. certificates These commands display certificate information and configure certificate settings.
Chapter 48 System Maintenance Menus 8 to 10 Figure 433 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Chapter 48 System Maintenance Menus 8 to 10 Figure 434 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 262 Call History FIELD DESCRIPTION Phone Number...
Chapter 48 System Maintenance Menus 8 to 10 Figure 435 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10.
Chapter 48 System Maintenance Menus 8 to 10 The following table describes the fields in this screen. Table 263 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 688
Chapter 48 System Maintenance Menus 8 to 10 ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 49.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access.
Chapter 49 Remote Management Table 264 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to Client authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that Certificates the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see...
H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Chapter 50 IP Policy Routing Table 265 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 266 on page 694 detailed information.
Chapter 50 IP Policy Routing 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 439 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1...
Chapter 50 IP Policy Routing Table 267 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched.
Chapter 50 IP Policy Routing Figure 440 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Chapter 50 IP Policy Routing Figure 441 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
Chapter 50 IP Policy Routing 2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100).
Page 700
Chapter 50 IP Policy Routing ZyWALL 5/35/70 Series User’s Guide...
H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Chapter 51 Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Chapter 51 Call Scheduling Table 269 Schedule Set Setup (continued) FIELD DESCRIPTION If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access •...
Chapter 52 Troubleshooting 52.2 ZyWALL Access and Login I forgot the LAN IP address for the ZyWALL. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
Page 707
Chapter 52 Troubleshooting • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix E on page 733. Your ZyWALL is a DHCP server by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address.
Chapter 52 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.
Chapter 52 Troubleshooting I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5.4 on page 2 Check the schedule rules.
Chapter 52 Troubleshooting 5 Check that both the ZyWALL and your wireless station are using the same wireless and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyWALL.
Appendices and Index Product Specifications (713) Hardware Installation (721) Pop-up Windows, JavaScripts and Java Permissions (725) Removing and Installing a Fuse (731) Setting up Your Computer’s IP Address (733) IP Addresses and Subnetting (749) Common Services (757) Wireless LANs (761) Windows 98 SE/Me Requirements for Anti-Virus Message Display (775) VPN Setup (779) Importing Certificates (791)
Console RS-232 DB9F Dial Backup RS-232 DB9M Extension Card Slot For installing an optional ZyXEL wireless LAN card, 3G card or a ZyWALL Turbo extension card Operation Temperature 0º C ~ 50º C Storage Temperature -30º C ~ 60º C...
ZyWALL wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
FEATURE DESCRIPTION Firewall You can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.
Simultaneous IPSec VPN Connections Compatible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyWALL at the time of writing. It also shows the security features that each card supports. Check the product page on the www.zyxel.com website for updates on ZyXEL WLAN cards that you can use in the ZyWALL.
Page 717
LAN PCMCIA or CardBus card, 3G card or ZyWALL Turbo Card (to avoid damage). Slide the connector end of the card into the slot as shown next. Only certain ZyXEL wireless LAN cards or 3G card are compatible with the ZyWALL.
Appendix A Product Specifications Figure 448 WLAN Card Installation Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST.) EUROPEAN PLUG STANDARDS AC POWER ADAPTOR MODEL...
Appendix A Product Specifications UNITED KINGDOM PLUG STANDARDS POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS TUV (BS EN 60950-1) AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZS)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
P P E N D I X Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them.
Appendix B Hardware Installation Figure 450 Attaching Rubber Feet Do not block the ventilation holes. Leave space between ZyWALLs when stacking. Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
Appendix B Hardware Installation Rack-Mounted Installation 1 Align one bracket with the holes on one side of the ZyWALL and secure it with the bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 451 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack.
Page 724
Appendix B Hardware Installation ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 454 Internet Options 3 Click Apply to save this setting.
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 455 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 456 Pop-up Blocker Settings ZyWALL 5/35/70 Series User’s Guide...
Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 458 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Appendix C Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 460 Java (Sun) ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications.
Page 732
Appendix D Removing and Installing a Fuse ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Appendix E Setting up Your Computer’s IP Address Figure 461 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Appendix E Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. •...
Appendix E Setting up Your Computer’s IP Address Figure 463 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Appendix E Setting up Your Computer’s IP Address Figure 464 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 465 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 5/35/70 Series User’s Guide...
Appendix E Setting up Your Computer’s IP Address Figure 466 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 467 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Appendix E Setting up Your Computer’s IP Address Figure 468 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Appendix E Setting up Your Computer’s IP Address Figure 469 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Appendix E Setting up Your Computer’s IP Address Figure 470 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
Appendix E Setting up Your Computer’s IP Address Figure 471 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 472 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Appendix E Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel.
Appendix E Setting up Your Computer’s IP Address Figure 474 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Appendix E Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Appendix E Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Appendix E Setting up Your Computer’s IP Address Figure 479 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter in the field. Type static BOOTPROTO= = followed by the IP address (in dotted decimal notation) and type IPADDR NETMASK...
Appendix E Setting up Your Computer’s IP Address Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 483 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.
Appendix F IP Addresses and Subnetting Table 277 Classes of IP Addresses (continued) IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example).
Appendix F IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The “natural” masks for class A, B and C IP addresses are as follows. Table 279 “Natural” Masks CLASS NATURAL MASK 255.0.0.0 255.255.0.0 255.255.255.0 Subnetting...
Appendix F IP Addresses and Subnetting Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.255.0. Table 281 Two Subnets Example IP/SUBNET MASK NETWORK NUMBER HOST ID IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001.
Appendix F IP Addresses and Subnetting Table 283 Subnet 2 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address: Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 –...
Appendix F IP Addresses and Subnetting Table 289 Class C Subnet Planning (continued) NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 756
Appendix F IP Addresses and Subnetting ZyWALL 5/35/70 Series User’s Guide...
CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER...
Page 758
Appendix G Common Services Table 291 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 1720 NetMeeting uses this protocol. HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web.
Page 759
Appendix G Common Services Table 291 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET Remote Telnet. RTSP TCP/UDP The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the...
Page 760
Appendix G Common Services ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix H Wireless LANs Figure 485 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Appendix H Wireless LANs Figure 486 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Appendix H Wireless LANs Figure 487 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Appendix H Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver.
Appendix H Wireless LANs Wireless security methods available on the Product Name [short] are data encryption, wireless client authentication, restricting access by device MAC address and hiding the Product Name [short] identity. The following figure shows the relative effectiveness of these wireless security methods available on your Product Name [short].
Appendix H Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 768
Appendix H Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Appendix H Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Page 770
Appendix H Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Appendix H Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.
Appendix H Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys.
Page 773
Appendix H Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 774
Appendix H Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up.
P P E N D I X Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 491 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 492 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut.
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 493 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 494 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish.
Appendix I Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 495 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 496 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 490 on page...
IPSec connections. All users of a dynamic rule have the same pre-shared key. You may need to change the pre- shared key if one of the users leaves. See the support notes at http://www.zyxel.com for configuration examples for software VPN clients.
Appendix J VPN Setup The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
Appendix J VPN Setup Figure 498 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router. ZyWALL 5/35/70 Series User’s Guide...
Appendix J VPN Setup Figure 499 Branch Office Gateway Policy Edit The IP address 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. ZyWALL 5/35/70 Series User’s Guide...
Appendix J VPN Setup Figure 500 Headquarters VPN Rule Figure 501 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. ZyWALL 5/35/70 Series User’s Guide...
Appendix J VPN Setup Figure 502 Headquarters Network Policy Edit Activate the network IP addresses on different subnets. ZyWALL 5/35/70 Series User’s Guide...
Appendix J VPN Setup Figure 503 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly.
Appendix J VPN Setup VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel. View the log via the web configurator LOGS View Log screen or type from sys log disp...
Appendix J VPN Setup IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 790
Appendix J VPN Setup Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Appendix K Importing Certificates Figure 510 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 511 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 5/35/70 Series User’s Guide...
Appendix K Importing Certificates Figure 512 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 513 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 5/35/70 Series User’s Guide...
Appendix K Importing Certificates Figure 514 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 515 Root Certificate Store ZyWALL 5/35/70 Series User’s Guide...
Appendix K Importing Certificates Figure 516 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Appendix K Importing Certificates Figure 517 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Appendix K Importing Certificates Figure 518 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Appendix K Importing Certificates 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 520 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Appendix K Importing Certificates Figure 522 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 523 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Appendix K Importing Certificates Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 525 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Appendix L Command Interpreter Configuring What You Want the ZyWALL to Log 1 Use the command to load the log setting buffer that allows you to sys logs load configure which logs the ZyWALL is to record. 2 Use to view a list of the log categories. sys logs category Figure 528 Displaying Log Categories Example ras>...
Page 803
Appendix L Command Interpreter Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Appendix L Command Interpreter Figure 530 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request.
Appendix L Command Interpreter is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B.
Appendix L Command Interpreter Figure 532 Managing the Bandwidth of an IPSec SA with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router.
Appendix L Command Interpreter By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key. See the following example. Say you have a VPN rule one that uses AES for the phase 2 encryption and you want it to use 192 bit encryption.
Page 808
Appendix L Command Interpreter ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix L on page 801 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Appendix M NetBIOS Filter Commands The filter types and their default settings are as follows. Table 296 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block...
Page 811
Appendix M NetBIOS Filter Commands ZyWALL 5/35/70 Series User’s Guide...
Page 812
Appendix M NetBIOS Filter Commands ZyWALL 5/35/70 Series User’s Guide...
P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 814
Appendix N Brute-Force Password Guessing Protection ZyWALL 5/35/70 Series User’s Guide...
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 816
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyWALL 5/35/70 Series User’s Guide...
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 818
Appendix O Legal Information ZyWALL 5/35/70 Series User’s Guide...
Index Index Numerics alert message online update packet scan 272, 775 9600 baud real-time alert message scanner types Windows 98/Me requirements anti-virus scan packet types AP (access point) access control Application Layer Gateway. See ALG. active protocol applications asymmetrical routes and encapsulation vs virtual interfaces AT command...
Page 824
Index boot sector virus configuration backup 542, 668 TFTP BPDU configuration restore 542, 672 bridge firewall 69, 141, 536, 538 via console port Bridge Protocol Data Unit. See BPDU. connection ID/name broadcast console port 547, 657 configuration upload budget data bits budget management file backup buffer overflow...
Page 825
Index and transport mode DHCP clients DHCP table ESSID 205, 596, 709 diagnostic Ethernet dial timeout encapsulation 86, 581, 602 Diffie-Hellman key group extended authentication Perfect Forward Secrecy (PFS) Extended Service Set IDentification. See ESSID. digest Extended Service Set, See ESS disclaimer Extensible Authentication Protocol.
Page 826
327, 333 service extended authentication fuse ID content replacement ID type type IP address, remote IPSec router IP address, ZyXEL Device local identity main mode 324, 330 NAT traversal negotiation mode password gateway IP address 583, 607, 613 peer identity...
Page 827
Index Internet access setup 85, 581, 582 Internet Assigned Number Authority. See IANA. Internet Message Access Protocol. See IMAP. Internet Protocol Security. See IPSec. port filter setup intrusions setup firewalls legitimate e-mail host levels of severity of intrusions license key network link type severity levels...