Page 1 ZyWALL P1 Internet Security Appliance User’s Guide Version 4.01 9/2006 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
• Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Page 4: Document Conventions
Syntax Conventions • The ZyWALL P1 may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL P1 User’s Guide...
Page 6: Safety Warnings
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one. • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. This product is recyclable. Dispose of it properly. ZyWALL P1 User’s Guide...
Page 7 Safety Warnings ZyWALL P1 User’s Guide...
Page 8 Safety Warnings ZyWALL P1 User’s Guide...
Page 9: Table Of Contents
UPnP ............................313 ALG Screen ..........................323 Reports, Logs and Maintenance ..................329 Reports ............................ 331 Logs ............................341 Maintenance ..........................365 Zero Configuration and Troubleshooting ................391 Zero Configuration Screens ..................... 393 Troubleshooting ........................403 ZyWALL P1 User’s Guide...
Page 10 Contents Overview Appendices and Index ......................411 ZyWALL P1 User’s Guide...
Page 11: Table Of Contents
2.3.4 HOME Screen: Router Mode ................. 50 2.3.5 HOME Screen: Bridge Mode ..................53 2.3.6 Network Status: More ....................56 2.3.7 Port Statistics ......................56 2.3.8 DHCP Table Screen ....................57 2.3.9 VPN Status ......................... 58 ZyWALL P1 User’s Guide...
Page 12 5.1 myZyXEL.com overview ....................101 5.1.1 Subscription Services Available on the ZyWALL ............. 101 5.2 Registration ........................102 5.3 Service ..........................104 Part II: Network..................105 Chapter 6 LAN Screens.......................... 107 6.1 LAN, WAN and the ZyWALL ....................107 ZyWALL P1 User’s Guide...
Page 13 8.6.1 WAN Ethernet Encapsulation ................... 128 8.6.2 PPPoE Encapsulation ....................130 8.6.3 PPTP Encapsulation ....................133 8.7 Dynamic DNS ........................136 8.7.1 DYNDNS Wildcard ....................137 8.8 Configuring Dynamic DNS ....................137 Part III: Security..................139 Chapter 9 Firewall........................... 141 ZyWALL P1 User’s Guide...
Page 14 10.6.4 MyDoom ......................... 173 10.7 ZyWALL IDP ........................174 Chapter 11 Configuring IDP........................175 11.1 Overview .......................... 175 11.2 General Setup ........................175 11.3 IDP Signatures ......................... 177 11.3.1 Attack Types ......................177 11.3.2 Intrusion Severity ....................178 ZyWALL P1 User’s Guide...
Page 15 13.4.5 Encryption and Authentication Algorithms ............. 212 13.5 VPN Rules (IKE) Gateway Policy Edit ................212 13.6 IPSec SA Overview ..................... 218 13.6.1 Local and Remote Networks .................. 218 13.6.2 Virtual Address Mapping ..................219 13.6.3 Active Protocol ....................... 221 ZyWALL P1 User’s Guide...
Page 16 ..............260 14.16 Directory Servers ......................262 14.17 Directory Server Add or Edit ..................263 Chapter 15 Authentication Server......................265 15.1 Authentication Server Overview ..................265 15.1.1 Local User Database ....................265 15.1.2 RADIUS ........................265 ZyWALL P1 User’s Guide...
Page 17 Remote Management......................291 18.1 Remote Management Overview ..................291 18.1.1 Remote Management Limitations ................292 18.1.2 System Timeout ..................... 292 18.2 WWW (HTTP and HTTPS) ..................... 292 18.3 WWW Configuration ......................293 18.4 HTTPS Example ......................295 ZyWALL P1 User’s Guide...
Page 18 19.1.1 How Do I Know If I'm Using UPnP? ............... 313 19.1.2 NAT Traversal ......................313 19.1.3 Cautions with UPnP ....................313 19.1.4 UPnP and ZyXEL ....................314 19.2 Configuring UPnP ......................314 19.3 Displaying UPnP Port Mapping ..................315 19.4 Installing UPnP in Windows Example ................
Page 19 22.3 Configuring Log Settings ....................343 22.3.1 Log Descriptions ....................347 22.4 Syslog Logs ........................363 Chapter 23 Maintenance .......................... 365 23.1 Maintenance Overview ....................365 23.2 General Setup and System Name ................... 365 23.3 General Setup ........................ 365 ZyWALL P1 User’s Guide...
Page 20 23.21.2 FTP Session Example of Firmware File Upload ..........388 23.21.3 TFTP File Upload ....................388 23.21.4 TFTP Upload Command Example ............... 388 23.22 Restart Screen ......................389 Part VI: Zero Configuration and Troubleshooting ......391 Chapter 24 Zero Configuration Screens....................393 ZyWALL P1 User’s Guide...
Page 21 Appendix F Windows 98 SE/Me Requirements for Anti-Virus Message Display ....453 Appendix G Importing Certificates..................457 Appendix H Command Interpreter..................467 Appendix I NetBIOS Filter Commands ................. 473 Appendix J Legal Information....................475 Appendix K Customer Support..................... 479 Index............................483 ZyWALL P1 User’s Guide...
Page 22 Table of Contents ZyWALL P1 User’s Guide...
Page 23: List Of Figures
Figure 35 Tutorial: Wizard Welcome Screen ..................82 Figure 36 Tutorial: VPN Wizard: Gateway Setting .................. 83 Figure 37 Tutorial: VPN Wizard: Network Setting ................... 83 Figure 38 Tutorial: VPN Wizard: IKE Tunnel Setting ................84 ZyWALL P1 User’s Guide...
Page 24 Figure 78 NETWORK > WAN > DDNS ....................137 Figure 79 Default Firewall Action ......................141 Figure 80 SECURITY > FIREWALL > Default Rule (Router Mode) ............. 142 Figure 81 Default Block Traffic From WAN to LAN Example ............143 ZyWALL P1 User’s Guide...
Page 25 Figure 121 Query Example Search Criteria ..................195 Figure 122 Query Example Search Results ..................196 Figure 123 SECURITY > ANTI-VIRUS > Update ................. 198 Figure 124 SECURITY > ANTI-VIRUS > Backup and Restore ............199 ZyWALL P1 User’s Guide...
Page 26 Figure 165 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ........259 Figure 166 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ........260 Figure 167 SECURITY > CERTIFICATES > Directory Servers ............262 ZyWALL P1 User’s Guide...
Page 27 Figure 206 ADVANCED > REMOTE MGMT > DNS ................310 Figure 207 ADVANCED > REMOTE MGMT > CNM ................311 Figure 208 ADVANCED > UPnP ......................314 Figure 209 ADVANCED > UPnP > Ports ....................315 Figure 210 H.323 ALG Example ......................324 ZyWALL P1 User’s Guide...
Page 28 Figure 249 FTP Session Example of Firmware File Upload ..............388 Figure 250 MAINTENANCE > Restart ....................389 Figure 251 INTERNET ACCESS ......................393 Figure 252 INTERNET ACCESS (Network Status) ................394 Figure 253 INTERNET ACCESS (Ethernet Encapsulation) .............. 395 ZyWALL P1 User’s Guide...
Page 29 Figure 293 WIndows 98 SE: Program Task Bar ................. 454 Figure 294 Windows 98 SE: Task Bar Properties ................454 Figure 295 Windows 98 SE: StartUp ....................455 Figure 296 Windows 98 SE: Startup: Create Shortcut ..............455 ZyWALL P1 User’s Guide...
Page 30 Figure 318 Displaying Log Categories Example .................. 468 Figure 319 Displaying Log Parameters Example ................. 468 Figure 320 Routing Command Example ....................469 Figure 321 Backup Gateway ........................ 471 Figure 322 Routing Command Example ....................472 ZyWALL P1 User’s Guide...
Page 31: List Of Tables
Table 35 NETWORK > WAN > WAN (PPPoE Encapsulation) ............131 Table 36 NETWORK > WAN > WAN (PPTP Encapsulation) ............... 134 Table 37 Blocking All LAN to WAN IRC Traffic Example ..............148 Table 38 Limited LAN to WAN IRC Traffic Example ................149 ZyWALL P1 User’s Guide...
Page 32 Table 78 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ........259 Table 79 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ........261 Table 80 SECURITY > CERTIFICATES > Directory Servers .............. 263 Table 81 SECURITY > CERTIFICATES > Directory Server > Add ............. 264 ZyWALL P1 User’s Guide...
Page 33 Table 119 ICMP Logs .......................... 350 Table 120 CDR Logs ........................... 351 Table 121 PPP Logs ..........................351 Table 122 UPnP Logs .......................... 351 Table 123 Attack Logs ......................... 351 Table 124 Remote Management Logs ....................353 ZyWALL P1 User’s Guide...
Page 34 Table 162 Subnet Masks ........................443 Table 163 Maximum Host Numbers ....................443 Table 164 Alternative Subnet Mask Notation ..................443 Table 165 Subnet 1 ..........................445 Table 166 Subnet 2 ..........................446 Table 167 Subnet 3 ..........................446 ZyWALL P1 User’s Guide...
Page 35 Table 169 Eight Subnets ........................446 Table 170 24-bit Network Number Subnet Planning ................447 Table 171 16-bit Network Number Subnet Planning ................447 Table 172 Commonly Used Services ....................449 Table 173 NetBIOS Filter Default Settings ..................473 ZyWALL P1 User’s Guide...
Page 36 List of Tables ZyWALL P1 User’s Guide...
Page 37: Introduction
Introduction Getting to Know Your ZyWALL (39) Introducing the Web Configurator (43) Wizard Setup (61) Tutorial (81) Registration (101)
Page 39: Getting To Know Your Zywall
The following figure shows a VPN network example. A telecommuter can simply connect the pre-configured ZyWALL and enter the VPN account information to establish a VPN connection through the Internet to headquarters. Figure 1 Application: Telecommuters ZyWALL P1 User’s Guide...
Page 40: Lan Network Protection
ZyWALLs on the LAN. Figure 2 Application: LAN Network Protection 1.2 ZyWALL Hardware Connections Refer to the Quick Start Guide for information on hardware connection and basic setup. 1.3 LEDs The following figure shows the LEDs. ZyWALL P1 User’s Guide...
Page 41: Figure 3 Front Panel: Leds
Green The ZyWALL has a successful 10Mbps LAN connection. Blinking The 10M LAN is sending or receiving packets. Amber The ZyWALL has a successful 100Mbps LAN connection. Blinking The 100M LAN is sending or receiving packets. ZyWALL P1 User’s Guide...
Page 42 Chapter 1 Getting to Know Your ZyWALL ZyWALL P1 User’s Guide...
Page 43: Introducing The Web Configurator
Section 23.3 on page 365 for details). 4 A login screen displays. Type the password ("1234" is the default) and click Login. In some versions, the default password appears automatically - if this is the case, click ZyWALL P1 User’s Guide...
Page 44: Figure 4 Web Configurator: Login Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator. ZyWALL P1 User’s Guide...
Page 45: Web Configurator Overview
Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you. 2.3 Web Configurator Overview The following sections introduce the layout and navigation of the web configurator screens. Figure 7 HOME Screen ZyWALL P1 User’s Guide...
Page 46: Title Bar
The following table lists the features available for each device mode. Table 3 Device Mode Features Comparison ZERO FEATURE ROUTER MODE CONFIGURATION BRIDGE MODE MODE Internet Access Wizard VPN Wizard DHCP Table System Statistics Registration LAN IP Alias LAN MAC Filter Bridge Firewall ZyWALL P1 User’s Guide...
Page 47: Table 4 Screens Summary
Use this screen to change the bridge settings on the ZyWALL. Route This screen allows you to configure route priority. Use this screen to configure the WAN port for internet access. DDNS Use this screen to set up dynamic DNS. SECURITY ZyWALL P1 User’s Guide...
Page 48 AUTH SERVER Local User Use this screen to configure the local user account(s) on the Database ZyWALL to authenticate VPN users. RADIUS Configure this screen to use an external server to authenticate VPN users. ADVANCED ZyWALL P1 User’s Guide...
Page 49 Use this screen to collect and display statistics on the viruses that the ZyWALL has detected. LOGS View Log Use this screen to view the logs for the categories that you selected. Log Settings Use this screen to change your ZyWALL’s log settings. ZyWALL P1 User’s Guide...
Page 50: Home Screen: Router Mode
Select a number of seconds or None from the drop-down list box to update all Interval screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the status screen statistics immediately. ZyWALL P1 User’s Guide...
Page 51 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 52 This table displays the five most recent alerts recorded by the ZyWALL. You can see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets. Date/Time This is the date and time the alert was recorded. ZyWALL P1 User’s Guide...
Page 53: Home Screen: Bridge Mode
ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. You can use the firewall and VPN in bridge mode. Figure 9 Web Configurator HOME Screen in Bridge Mode ZyWALL P1 User’s Guide...
Page 54: Table 6 Web Configurator Home Screen In Bridge Mode
The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 55 View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets. Date/Time This is the date and time the alert was recorded. Message This is the reason for the alert. System Status ZyWALL P1 User’s Guide...
Page 56: Network Status: More
RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port. close Click this link to collapse this screen. 2.3.7 Port Statistics Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable. ZyWALL P1 User’s Guide...
Page 57: Dhcp Table Screen
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL’s DHCP server. ZyWALL P1 User’s Guide...
Page 58: Vpn Status
Click VPN in the HOME screen when the ZyWALL is set to router mode. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. ZyWALL P1 User’s Guide...
Page 59: Figure 13 Home > Vpn Status
Select a number of seconds or None from the drop-down list box to update all Refresh Interval screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s statistics immediately. ZyWALL P1 User’s Guide...
Page 60 Chapter 2 Introducing the Web Configurator ZyWALL P1 User’s Guide...
Page 61: Wizard Setup
The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. ZyWALL P1 User’s Guide...
Page 62: Isp Parameters
Select Dynamic If your ISP did not assign you a fixed IP address. This is the Assignment default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. ZyWALL P1 User’s Guide...
Page 63: Figure 16 Isp Parameters: Pppoe Encapsulation
IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 16 ISP Parameters: PPPoE Encapsulation ZyWALL P1 User’s Guide...
Page 64: Table 12 Isp Parameters: Pppoe Encapsulation
Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. ZyWALL P1 User’s Guide...
Page 65: Figure 17 Isp Parameters: Pptp Encapsulation
Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. ZyWALL P1 User’s Guide...
Page 66: Internet Access Wizard: Second Screen
Click Next to go to the screen where you can register your ZyWALL and activate the free anti- virus and IDP trial applications. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup. Figure 18 Internet Access Wizard: Second Screen ZyWALL P1 User’s Guide...
Page 67: Internet Access Wizard: Registration
It also shows which trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Registration > Service screen to update your service subscription status. ZyWALL P1 User’s Guide...
Page 68: Figure 20 Internet Access Wizard: Registration
Enter a user name for your myZyXEL.com account. The name should be from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed. Check Click this button to check with the myZyXEL.com database to verify the user name you entered has not been used. ZyWALL P1 User’s Guide...
Page 69: Figure 22 Internet Access Wizard: Registration In Progress
Figure 22 Internet Access Wizard: Registration in Progress This screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 23 Internet Access Wizard: Registration Failed ZyWALL P1 User’s Guide...
Page 70: Internet Access Wizard: Service Activation
Click Next to save your changes back to the ZyWALL and activate the selected services. After you select the service and click Next, the following screen shows indicating the service registration is in progress. Wait for the registration progress to finish. ZyWALL P1 User’s Guide...
Page 71: Internet Access Wizard: Status
Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 61) to open the VPN configuration wizard. The first screen displays as shown next. ZyWALL P1 User’s Guide...
Page 72: Vpn Wizard Network Setting
SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. ZyWALL P1 User’s Guide...
Page 73: Figure 29 Vpn Wizard: Network Setting
Remote IP addresses must be static and correspond to the remote IPSec router's Network configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. ZyWALL P1 User’s Guide...
Page 74: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
Click Next to continue. 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. Figure 30 VPN Wizard: IKE Tunnel Setting ZyWALL P1 User’s Guide...
Page 75: Table 18 Vpn Wizard: Ike Tunnel Setting
VPN connection. Select this option if the remote IPSec router is not configured to authenticate VPN user or does not have the extended authentication function. Select None to not authenticate user(s) that request this VPN connection. ZyWALL P1 User’s Guide...
Page 76: Vpn Wizard Ipsec Setting (Ike Phase 2)
(AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). IPSec Protocol Select the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). ZyWALL P1 User’s Guide...
Page 77: Vpn Wizard Status Summary
Click Back to return to the previous screen. Next Click Next to continue. 3.7 VPN Wizard Status Summary This read-only screen shows the VPN settings. Use the summary table to check whether what you have configured is correct. ZyWALL P1 User’s Guide...
Page 78: Figure 32 Vpn Wizard: Vpn Status
This is the IP address or the domain name used to identify the remote IPSec Address router. Network Policy Property Active This displays whether this VPN network policy is enabled or not. Name This is the name of this VPN network policy. Network Policy Setting Local Network ZyWALL P1 User’s Guide...
Page 79: Vpn Wizard Setup Complete
3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. ZyWALL P1 User’s Guide...
Page 80: Figure 33 Vpn Wizard Setup Complete
Chapter 3 Wizard Setup Figure 33 VPN Wizard Setup Complete ZyWALL P1 User’s Guide...
Page 81: Tutorial
Figure 34 Tutorial: VPN Networks Example This example uses the following settings. Table 21 Tutorial: Settings to Use FIELD ZYWALL A ZYWALL B Gateway Policy Property Name (identifies the VPN rule) A-B_Gateways A-B_Gateways MyZyWALL (ZyWALL’s WAN IP address) 0.0.0.0 1.2.3.4 ZyWALL P1 User’s Guide...
Page 82: Configure The Vpn Rule On Zywall A
• Name: enter “A-B_Gateways” to identify this VPN rule. • My ZyWALL: leave this set to “0.0.0.0” since ZyWALL A has a dynamically- assigned IP address. • Remote Gateway Address: enter “1.2.3.4”, the WAN IP address of ZyWALL B. ZyWALL P1 User’s Guide...
Page 83: Figure 36 Tutorial: Vpn Wizard: Gateway Setting
• Remote Network: select Range IP and enter “10.0.0.2” and “10.0.0.64” to identify office network Y behind ZyWALL B. Figure 37 Tutorial: VPN Wizard: Network Setting 6 Enter the following security settings in this screen. • Pre-Shared Key: enter “MyPre-123!@#”. • Authenticated By: select None. ZyWALL P1 User’s Guide...
Page 84: Figure 38 Tutorial: Vpn Wizard: Ike Tunnel Setting
Figure 38 Tutorial: VPN Wizard: IKE Tunnel Setting 7 Leave the default settings in this screen. Figure 39 Tutorial: VPN Wizard: IPSec Setting 8 Check your settings in this read-only summary screen. Click Finish when you are done. ZyWALL P1 User’s Guide...
Page 85: Configure The Vpn Rule On Zywall B
VPN rule on ZyWALL B. Figure 41 Tutorial: VPN Wizard Setup Complete 4.1.2 Configure the VPN Rule on ZyWALL B This section has you use the VPN wizard to configure the VPN rule on ZyWALL B. ZyWALL P1 User’s Guide...
Page 86: Figure 42 Tutorial: Vpn Wizard: Gateway Setting
• Local Network: select Range IP and enter “10.0.0.2” and “10.0.0.64” to identify office network Y behind ZyWALL B. • Remote Network: Leave this field set to Single and “0.0.0.0” because ZyWALL A has a dynamic WAN IP address. ZyWALL P1 User’s Guide...
Page 87: Testing Your Vpn Configuration
The following figure shows the screen in ZyWALL A followed by the screen in ZyWALL B. The information that identifies ZyWALL A and network X is circled in red. The information that identifies ZyWALL B and network Y is circled in yellow. ZyWALL P1 User’s Guide...
Page 88: Figure 45 Tutorial: Vpn Summary Screens Comparison Example
Figure 45 Tutorial: VPN Summary Screens Comparison Example If these are already configured properly, click the edit icons and use the edit screens to see the details. Here is an example of ZyWALL A and B gateway policy edit screens. ZyWALL P1 User’s Guide...
Page 89: Figure 46 Tutorial: Vpn Gateway Policy Edit Screens Comparison Example
Chapter 4 Tutorial Figure 46 Tutorial: VPN Gateway Policy Edit Screens Comparison Example ZyWALL P1 User’s Guide...
Page 90: Figure 47 Tutorial: Vpn Network Policy Edit Screens Comparison Example
Chapter 4 Tutorial Here is an example of ZyWALL A and B network policy edit screens. Figure 47 Tutorial: VPN Network Policy Edit Screens Comparison Example ZyWALL P1 User’s Guide...
Page 91: Security Settings For Vpn Traffic
VPN tunnel. For example, you can use IDP to protect your LAN from intrusions that might come in through any of the VPN tunnels or interfaces. ZyWALL P1 User’s Guide...
Page 92: Idp For To Vpn Traffic Example
You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come through your ZyWALL’s VPN tunnel. ZyWALL P1 User’s Guide...
Page 93: Firewall Rule For Vpn Example
LAN FTP server through a VPN tunnel. Now, if you don’t want other services like chat or e-mail going to the FTP server, you can configure firewall rules that allow only FTP traffic to come from the VPN tunnel to the FTP server. ZyWALL P1 User’s Guide...
Page 94: Configuring The Vpn Rule
1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 54 Tutorial: SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply. ZyWALL P1 User’s Guide...
Page 95: Figure 55 Tutorial: Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy
Chapter 4 Tutorial Figure 55 Tutorial: SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL P1 User’s Guide...
Page 96: Figure 56 Tutorial: Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example
VPN network policy. • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers. ZyWALL P1 User’s Guide...
Page 97: Figure 57 Tutorial: Security > Vpn > Vpn Rules (Ike)> Add Network Policy
Chapter 4 Tutorial Figure 57 Tutorial: SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ZyWALL P1 User’s Guide...
Page 98: Configuring The Firewall Rules
Figure 58 Tutorial: SECURITY > FIREWALL > Rule Summary 3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s remote network and the destination address is the LAN FTP server. ZyWALL P1 User’s Guide...
Page 99: Figure 59 Tutorial: Security > Firewall > Rule Summary > Edit: Allow
Chapter 4 Tutorial Figure 59 Tutorial: SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL P1 User’s Guide...
Page 100: Figure 60 Tutorial: Security > Firewall > Rule Summary: Allow
VPN access to the LAN. 1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply. Figure 61 Tutorial: SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ZyWALL P1 User’s Guide...
Page 101: Registration
H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 102: Registration
REGISTRATION in the navigation panel to open the screen as shown next. Figure 62 REGISTRATION If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. ZyWALL P1 User’s Guide...
Page 103: Figure 63 Registration: Registered Device
Select the check box to activate a trial. The trial period starts the day you activate the trial. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 104: Service
If a standard service subscription runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the license Refresh key, registration status and expiration day). ZyWALL P1 User’s Guide...
Page 105: Network
Network LAN Screens (107) Bridge Screens (119) WAN Screens (125)
Page 107: Lan Screens
WAN screens to set up your WAN connection. The LAN and the WAN are two separate networks. The ZyWALL controls the traffic that goes between them. The following graphic gives an example. Figure 65 LAN and WAN ZyWALL P1 User’s Guide...
Page 108: Dhcp
2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address ZyWALL P1 User’s Guide...
Page 109: Wins
ZyWALL system features like VPN, DDNS and the time server. 2 Use the NETWORK > LAN screen to configure the DNS server information that the ZyWALL sends to the DHCP client devices on the LAN. ZyWALL P1 User’s Guide...
Page 110: Private Network
Click NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL’s IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. ZyWALL P1 User’s Guide...
Page 111: Figure 67 Network > Lan
When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default. ZyWALL P1 User’s Guide...
Page 112 LAN DHCP client when you select the DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. ZyWALL P1 User’s Guide...
Page 113: Lan Static Dhcp
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. ZyWALL P1 User’s Guide...
Page 114: Lan Ip Alias
When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). Make sure that the subnets of the logical networks do not overlap. The following figure shows a LAN divided into subnets A, B, and C. ZyWALL P1 User’s Guide...
Page 115: Figure 69 Physical Network And Partitioned Logical Networks
Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. ZyWALL P1 User’s Guide...
Page 116: Mac Filter
00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen. To change your ZyWALL’s MAC filter settings, click the NETWORK > LAN > MAC Filter. The screen appears as shown. ZyWALL P1 User’s Guide...
Page 117: Figure 71 Network > Lan > Mac Address Filter
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the allowed that are Address allowed or denied access to the ZyWALL in these address fields. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 118 Chapter 6 LAN Screens ZyWALL P1 User’s Guide...
Page 119: Bridge Screens
To prevent bridge loops, ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of the same LAN or you enable RSTP in the Bridge screen. This chapter introduces the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). ZyWALL P1 User’s Guide...
Page 120: Spanning Tree Protocol (Stp)
For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN. ZyWALL P1 User’s Guide...
Page 121: How Stp Works
You do not need to change the configuration of your existing network. You can use the firewall and VPN in bridge mode.Click NETWORK > BRIDGE to display the screen shown next. Use this screen to configure bridge and RSTP (Rapid Spanning Tree Protocol) settings. ZyWALL P1 User’s Guide...
Page 122: Figure 73 Network > Bridge
ZyWALL. Make sure the IP address does not conflict with any other device on the network. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Gateway IP Address Enter the gateway IP address. ZyWALL P1 User’s Guide...
Page 123 Enter a number between 1 and 65535 as RSTP path cost for the 1(Lowest)~65535(Highe corresponding port. 65535 is the highest. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 124 Chapter 7 Bridge Screens ZyWALL P1 User’s Guide...
Page 125: Wan Screens
• Use the DDNS screen to configure your traffic redirect properties and parameters. 8.2 WAN Route Click NETWORK > WAN to open the Route screen. Use this screen to configure the priorities of the ZyWALL’s routes and settings for Windows Networking traffic. Figure 74 NETWORK > WAN (Route) ZyWALL P1 User’s Guide...
Page 126: Wan Ip Address Assignment
ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. ZyWALL P1 User’s Guide...
Page 127: Dns Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 128: Wan Ethernet Encapsulation
(Roadrunner Toshiba authentication method) or Telia Login. The following fields do not appear with the Standard service type. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. ZyWALL P1 User’s Guide...
Page 129 RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, the RIP Version field is set to RIP-1. ZyWALL P1 User’s Guide...
Page 130: Pppoe Encapsulation
LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access. The screen shown next is for PPPoE encapsulation. ZyWALL P1 User’s Guide...
Page 131: Figure 76 Network > Wan > Wan (Pppoe Encapsulation)
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Type your password again to make sure that you have entered is correctly. Confirm ZyWALL P1 User’s Guide...
Page 132 Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL P1 User’s Guide...
Page 133: Pptp Encapsulation
Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. ZyWALL P1 User’s Guide...
Page 134: Figure 77 Network > Wan > Wan (Pptp Encapsulation)
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. ZyWALL P1 User’s Guide...
Page 135 When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives. When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both. ZyWALL P1 User’s Guide...
Page 136: Dynamic Dns
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. ZyWALL P1 User’s Guide...
Page 137: Dyndns Wildcard
If you have a private WAN IP address, then you cannot use Dynamic DNS. 8.8 Configuring Dynamic DNS To change your ZyWALL’s DDNS, click NETWORK > WAN > DDNS. The screen appears as shown. Figure 78 NETWORK > WAN > DDNS ZyWALL P1 User’s Guide...
Page 138 Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 139: Security
Security Firewall (141) Intrusion Detection and Prevention (IDP) (171) Configuring IDP (175) Anti-Virus (189) IPSec VPN (201) Certificates (239) Authentication Server (265)
Page 141: Firewall
ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule. ZyWALL P1 User’s Guide...
Page 142: Packet Direction Matrix
By default, the ZyWALL silently blocks traffic from the WAN from going to the LAN interfaces. The field where the From WAN row and the To LAN column intersect is set to Drop as shown. ZyWALL P1 User’s Guide...
Page 143: Packet Direction Examples
ZyWALL. • LAN to WAN These rules specify which computers on the LAN can access which computers or services connected to the WAN. See Section 9.5 on page for an example. ZyWALL P1 User’s Guide...
Page 144: To Vpn Packet Direction
LAN and going out through the ZyWALL’s VPN tunnel. For example, you could configure the From LAN To VPN firewall rule to drop traffic from the LAN computers instead of sending it through the ZyWALL’s VPN tunnel. ZyWALL P1 User’s Guide...
Page 145: From Vpn Packet Direction
For example, by default the firewall allows traffic from the VPN tunnel to go to any of the ZyWALL’s interfaces and the ZyWALL itself. You could edit the From VPN To LAN default firewall rule to silently block traffic from the VPN tunnels from going to the LAN computers. ZyWALL P1 User’s Guide...
Page 146: From Vpn To Vpn Packet Direction
In the following example, the From VPN To VPN default firewall rule silently blocks the traffic that the ZyWALL receives from the VPN tunnel (A) that is destined for the ZyWALL itself. VPN traffic destined for the LAN is allowed through. ZyWALL P1 User’s Guide...
Page 147: Security Considerations
9.4 Security Considerations Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. ZyWALL P1 User’s Guide...
Page 148: Firewall Rules Example
Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. ZyWALL P1 User’s Guide...
Page 149: Figure 89 Limited Lan To Wan Irc Traffic Example
The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules. ZyWALL P1 User’s Guide...
Page 150: Asymmetrical Routes
Figure 90 Using IP Alias to Solve the Triangle Route Problem 9.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. ZyWALL P1 User’s Guide...
Page 151: Figure 91 Security > Firewall > Default Rule (Router Mode)
LAN without passing through the ZyWALL. A better solution is to use IP alias to put the ZyWALL and the backup gateway on separate subnets. See Section 9.6.1 on page 150 for an example. ZyWALL P1 User’s Guide...
Page 152: Firewall Default Rule (Bridge Mode)
Click Reset to begin configuring this screen afresh. 9.8 Firewall Default Rule (Bridge Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. ZyWALL P1 User’s Guide...
Page 153: Figure 92 Security > Firewall > Default Rule (Bridge Mode)
Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender. Select Permit to allow the passage of the packets. Select this to create a log when the above action is taken. ZyWALL P1 User’s Guide...
Page 154: Firewall Rule Summary
WAN. • Enable the default WAN to LAN firewall rule for the NetBIOS service to let computers behind the ZyWALL access devices on the WAN using computer names. Figure 93 SECURITY > FIREWALL > Rule Summary ZyWALL P1 User’s Guide...
Page 155: Table 41 Security > Firewall > Rule Summary
Type a rule’s index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. ZyWALL P1 User’s Guide...
Page 156: Firewall Edit Rule
7. 2 Click Insert to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels. ZyWALL P1 User’s Guide...
Page 157: Figure 94 Security > Firewall > Rule Summary > Edit
Chapter 9 Firewall Figure 94 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL P1 User’s Guide...
Page 158: Table 42 Security > Firewall > Rule Summary > Edit
(No). Go to the Log Settings page and select the Access Control logs category Matched to have the ZyWALL record these logs. Send Alert Select the check box to have the ZyWALL generate an alert when the rule is Message to matched. Administrator When Matched ZyWALL P1 User’s Guide...
Page 159: Anti-Probing
ZyWALL hidden from probing attempts. You can specify which of the ZyWALL’s interfaces will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. Figure 95 SECURITY > FIREWALL > Anti-Probing ZyWALL P1 User’s Guide...
Page 160: Firewall Thresholds
ACK (acknowledgment). After this handshake, a connection is established. Figure 96 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. ZyWALL P1 User’s Guide...
Page 161: Threshold Values
9.12 Threshold Screen Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 97 SECURITY > FIREWALL > Threshold ZyWALL P1 User’s Guide...
Page 162: Table 44 Security > Firewall > Threshold
Deny new connection requests for the number of minutes that you specify (between 1 and 256). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 163: Service
9.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. ZyWALL P1 User’s Guide...
Page 164: Figure 98 Security > Firewall > Service
Chapter 9 Firewall Figure 98 SECURITY > FIREWALL > Service ZyWALL P1 User’s Guide...
Page 165: Firewall Edit Custom Service
Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyWALL. See Appendix E on page 449for a list of commonly used services and port numbers. Figure 99 Firewall Edit Custom Service ZyWALL P1 User’s Guide...
Page 166: My Service Firewall Rule Example
The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 100 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. ZyWALL P1 User’s Guide...
Page 167: Figure 101 My Service Firewall Rule Example: Edit Custom Service
Figure 102 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. ZyWALL P1 User’s Guide...
Page 168: Figure 103 My Service Firewall Rule Example: Rule Edit
9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box. ZyWALL P1 User’s Guide...
Page 169: Figure 104 My Service Firewall Rule Example: Rule Configuration
Chapter 9 Firewall Figure 104 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL P1 User’s Guide...
Page 170: Figure 105 My Service Firewall Rule Example: Rule Summary
Chapter 9 Firewall Figure 105 My Service Firewall Rule Example: Rule Summary ZyWALL P1 User’s Guide...
Page 171: Intrusion Detection And Prevention (Idp)
Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are launched from within an organization. Virtual private networks (VPN), removable storage devices and wireless networks may all provide access to the internal network without going through the firewall. ZyWALL P1 User’s Guide...
Page 172: Ids And Idp
If a malicious packet is detected, an action is taken. The remaining packets that make up that particular TCP session are also discarded. 10.6 Example Intrusions The following are some examples of intrusions. ZyWALL P1 User’s Guide...
Page 173: Sql Slammer Worm
In addition, the backdoor can download and execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Server 2003. ZyWALL P1 User’s Guide...
Page 174: Zywall Idp
See Section 11.2 on page 175 for more information on how to apply IDP to ZyWALL interfaces. IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are vital as new intrusions evolve. ZyWALL P1 User’s Guide...
Page 175: Configuring Idp
Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Click SECURITY > IDP from the navigation panel. General is the first screen as shown in the following figure. ZyWALL P1 User’s Guide...
Page 176: Figure 108 Security > Idp > General
For example, if you want to protect the LAN computers from intrusions, select the LAN interface. Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 177: Idp Signatures
After a target has been found, a vulnerability scanner can be used to exploit exposures. Trojan Horse A Trojan horse is a harmful program that’s hidden inside apparently harmless programs or data. It could be used to steal information or remotely control a device. ZyWALL P1 User’s Guide...
Page 178: Intrusion Severity
The following figure and table describes these actions. Note that in addition to these actions, a log may be generated or an alert sent, if those check boxes are selected and the signature is enabled. ZyWALL P1 User’s Guide...
Page 179: Configuring Idp Signatures
You can take actions on these signatures as described in Section 11.3.3 on page 178. To revert to the default actions or to save sets of actions, go to the Backup & Restore screen. Figure 111 SECURITY > IDP > Signature: Group View ZyWALL P1 User’s Guide...
Page 180: Table 51 Security > Idp > Signature: Group View
You can change the default signature action here. See Table 50 on page 179 for more details on actions. Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 181: Query View
Table 48 on page 177). Attack types are known as policy types in the group view screen. Platform Search for signatures created to prevent intrusions targeting specific operating system(s). Active Search for enabled and/or disabled signatures here. ZyWALL P1 User’s Guide...
Page 182 If you edited any of the check boxes in this column on the current page, use the check box in the heading row to switch between the settings (last partial edited, all selected and all cleared). ZyWALL P1 User’s Guide...
Page 183 Go to Page list box to view other pages of signatures found in the search. 5 If you change the Active, Log, Alert and/or Action signature fields in the signatures found, then click Apply to save the changes to the ZyWALL. ZyWALL P1 User’s Guide...
Page 184: Figure 113 Security > Idp > Signature: Query By Partial Name
Figure 113 SECURITY > IDP > Signature: Query by Partial Name Figure 114 SECURITY > IDP > Signature: Query by Complete ID 11.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes. ZyWALL P1 User’s Guide...
Page 185: Update
Figure 115 Signature Query by Attribute. 11.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Page 186: Configuring Idp Update
Chapter 11 Configuring IDP Click the intrusion ID hyperlink to go directly to information on that signature or enter https:// mysecurity.zyxel.com/mysecurity/ as the URL in your web browser. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone.
Page 187: Table 53 Security > Idp > Update
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Page 188: Backup And Restore
• Restore previously saved IDP signatures (with your custom configured settings). Click Restore and choose the path and location where the previously saved file resides on your computer. • Revert to the original ZSRT-defined signature settings. Active, Log, Alert and/or Action Click Reset. ZyWALL P1 User’s Guide...
Page 189: Anti-Virus
1 A computer gets a copy of a virus from a source such as the Internet, e-mail, file sharing or any removable storage media. The virus is harmless until the execution of an infected program. 2 The virus spreads to other files and programs on the computer. ZyWALL P1 User’s Guide...
Page 190: Types Of Anti-Virus Scanner
• HTTP (Hyper Text Transfer Protocol) • SMTP (Simple Mail Transfer Protocol) • POP3 (Post Office Protocol version 3) 12.2.1 How the ZyWALL Anti-Virus Scanner Works The ZyWALL checks traffic going to the interface(s) you specify for signature matches. ZyWALL P1 User’s Guide...
Page 191: Notes About The Zywall Anti-Virus
• ZIP file(s) within a ZIP file. 12.3 General Anti-Virus Setup Click SECURITY > ANTI-VIRUS to display the configuration screen as shown next. For Windows 98/Me, refer to the Appendix F on page 453 for requirements. ZyWALL P1 User’s Guide...
Page 192: Figure 119 Security > Anti-Virus > General
This field displays the service names and standard port numbers that identify them. Select a service to display and configure anti-virus settings for it. Active Select Active to enable the anti-virus scanner for the selected service. ZyWALL P1 User’s Guide...
Page 193: Signature Searching
Click Apply to save your changes. Reset Click Reset to start configuring this screen again. 12.4 Signature Searching Click SECURITY > ANTI-VIRUS > Signature to display this screen. Use this screen to locate signatures and manage how the ZyWALL uses them. ZyWALL P1 User’s Guide...
Page 194: Figure 120 Security > Anti-Virus > Signature: Query View
Click this button to begin the search. The results display in the table at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were. The tighter the criteria selected, the fewer the (relevant) signatures returned. ZyWALL P1 User’s Guide...
Page 195: Signature Search Example
12.4.1 Signature Search Example This example shows a search for signatures that are enabled, set to generate logs and alerts, send Windows messages and destroy the infected portion of the file. Figure 121 Query Example Search Criteria ZyWALL P1 User’s Guide...
Page 196: Figure 122 Query Example Search Results
Chapter 12 Anti-Virus Figure 122 Query Example Search Results ZyWALL P1 User’s Guide...
Page 197: Signature Update
Chapter 12 Anti-Virus 12.5 Signature Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads.
Page 198: Figure 123 Security > Anti-Virus > Update
This field displays the signatures version number currently used by the ZyWALL. Version This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
Page 199: Backup And Restore
Click ANTI-VIRUS > Backup & Restore. The screen displays as shown next. You can change the pre-defined Active, Log, Alert, Send Windows Message and/or Destroy File settings of individual signatures. Figure 124 SECURITY > ANTI-VIRUS > Backup and Restore Use the Backup & Restore screen to: ZyWALL P1 User’s Guide...
Page 200 Click Restore and choose the path and location where the previously saved file resides on your computer. • Revert to the original ZSRT-defined signature Active, Log, Alert, Send Windows Message and/or Destroy File settings. Click Reset. ZyWALL P1 User’s Guide...
Page 201: Ipsec Vpn
The following figure provides one perspective of a VPN tunnel. Figure 125 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B). ZyWALL P1 User’s Guide...
Page 202: Ike Sa Overview
13.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA. ZyWALL P1 User’s Guide...
Page 203: Vpn Rules (Ike)
• A network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel. Figure 127 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 128 IPSec Fields Summary ZyWALL P1 User’s Guide...
Page 204: Figure 129 Security > Vpn > Vpn Rules (Ike)
The ZyWALL’s IP address displays in bridge mode. Remote This represents the remote secure gateway. Gateway The IP address, domain name or dynamic domain name of the remote IPSec router displays if you specify it, otherwise Dynamic displays. ZyWALL P1 User’s Guide...
Page 205: Ike Sa Setup
Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below. Figure 130 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal ZyWALL P1 User’s Guide...
Page 206: Figure 131 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. Their identities are encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps. ZyWALL P1 User’s Guide...
Page 207: Figure 132 Ike Sa: Main Negotiation Mode, Steps 5 - 6: Authentication
ZYWALL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com ZyWALL P1 User’s Guide...
Page 208: Table 59 Vpn Example: Mismatching Id Type And Content
You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or you can set up the ZyWALL to check a user name and password that is provided by the remote IPSec router. ZyWALL P1 User’s Guide...
Page 209: Figure 133 Vpn/Nat Example
VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Section 13.6.3 on page 221 for more information about active protocols.) ZyWALL P1 User’s Guide...
Page 210: Additional Ipsec Vpn Topics
IPSec connections. All users of a dynamic rule have the same pre-shared key. You may need to change the pre- shared key if one of the users leaves. See the support notes at http://www.zyxel.com for configuration examples for software VPN clients.
Page 211: Ipsec High Availability
• Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections. • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0). ZyWALL P1 User’s Guide...
Page 212: Encryption And Authentication Algorithms
Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. ZyWALL P1 User’s Guide...
Page 213: Figure 135 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 13 IPSec VPN Figure 135 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ZyWALL P1 User’s Guide...
Page 214: Table 60 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
WAN IP address or domain name (you cannot set either to 0.0.0.0). Redundant Type the WAN IP address or the domain name (up to 31 characters) of the Remote Gateway backup IPSec router to use when the ZyWALL cannot not connect to the primary remote gateway. ZyWALL P1 User’s Guide...
Page 215 ZyWALL in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. ZyWALL P1 User’s Guide...
Page 216 5. Regardless of how you configure the ID Type and Content fields, two active IPSec SAs cannot have both the local and remote IP address ranges overlap between rules. Extended Authentication Enable Extended Select this check box to activate extended authentication. Authentication ZyWALL P1 User’s Guide...
Page 217 It may range from 180 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. ZyWALL P1 User’s Guide...
Page 218: Ipsec Sa Overview
In an IPSec SA, the local network consists of devices connected to the ZyWALL and may be called the local policy. Similarly, the remote network consists of the devices connected to the remote IPSec router and may be called the remote policy. ZyWALL P1 User’s Guide...
Page 219: Virtual Address Mapping
Figure 136 Local and Remote Network IP Address Overlap 13.6.2 Virtual Address Mapping Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from your local devices to virtual IP addresses before sending them through the VPN tunnel. ZyWALL P1 User’s Guide...
Page 220: Figure 137 Virtual Mapping Of Local And Remote Network Ip Addresses
Since your ZyWALL is portable, it may get (or you may need to configure) different WAN interface settings in different locations. In zero configuration mode, the ZyWALL automatically overwrites IPSec virtual address mapping settings and IPSec port forwarding rules (see Section 13.8 on page 228) in order to avoid network conflicts. ZyWALL P1 User’s Guide...
Page 221: Active Protocol
Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. ZyWALL P1 User’s Guide...
Page 222: Ipsec Sa Proposal And Perfect Forward Secrecy
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL P1 User’s Guide...
Page 223: Vpn Rules (Ike): Network Policy Edit
VPN-Network Policy -Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. ZyWALL P1 User’s Guide...
Page 224: Figure 140 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 13 IPSec VPN Figure 140 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL P1 User’s Guide...
Page 225: Table 61 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
IP addresses. Virtual address mapping (NAT over IPSec) translates the source IP addresses of computers on your local network to other (virtual) IP addresses before sending the packets to the remote IPSec router. This translation hides the source IP addresses of computers in the local network. ZyWALL P1 User’s Guide...
Page 226 Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL. ZyWALL P1 User’s Guide...
Page 227 Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. ZyWALL P1 User’s Guide...
Page 228: Vpn Rules (Ike): Network Policy Edit: Port Forwarding
Use this screen to configure port forwarding for your VPN tunnels to let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address on the LAN. ZyWALL P1 User’s Guide...
Page 229: Figure 141 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy > Port Forwarding
Type your server IP address in this field. Apply Click this button to save these settings. Reset Click this button to begin configuring this screen afresh. Cancel Click this button to return to the VPN-Network Policy -Edit screen without saving your changes. ZyWALL P1 User’s Guide...
Page 230: Vpn Rules (Ike): Network Policy Move
When there is a network policy in Recycle Bin, the Recycle Bin gateway policy automatically displays in the VPN Rules (IKE) screen. Apply Click Apply to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL P1 User’s Guide...
Page 231: Dialing The Vpn Tunnel Via Web Configurator
VPN Rules (IKE) screen to have the IPSec routers set up the tunnel. Figure 143 VPN Rule Configured The following screen displays. Figure 144 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 145 VPN Tunnel Established ZyWALL P1 User’s Guide...
Page 232: Ipsec Debug
Chapter 13 IPSec VPN 13.11 IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (in the commands). If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 233: Vpn Sa Monitor
In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. ZyWALL P1 User’s Guide...
Page 234: Vpn Global Setting
Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Use this screen to change settings that apply to all of your VPN tunnels. Figure 148 SECURITY > VPN > Global Setting ZyWALL P1 User’s Guide...
Page 235: Table 65 Security > Vpn > Global Setting
If a VPN rule’s local and remote network settings are both set to 0.0.0.0 (any), no traffic goes through the VPN tunnel if you select this check box. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 236: Telecommuter Vpn/Ipsec Examples
13.14.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). ZyWALL P1 User’s Guide...
Page 237: Figure 150 Telecommuters Using Unique Vpn Rules Example
Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.org) Headquarters ZyWALL Rule 1: Local ID Type: IP Peer ID Type: IP Local ID Content: 192.168.2.12 Peer ID Content: 192.168.2.12 Local IP Address: 192.168.2.12 Remote Gateway Address: telecommutera.dydns.org Remote Address 192.168.2.12 ZyWALL P1 User’s Guide...
Page 238: Vpn And Remote Management
192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface. Figure 151 VPN for Remote Management Example ZyWALL P1 User’s Guide...
Page 239: Certificates
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked. ZyWALL P1 User’s Guide...
Page 240: Advantages Of Certificates
2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 152 Certificates on Your Computer 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL P1 User’s Guide...
Page 241: Configuration Summary
Use the Trusted Remote Hosts screens to import self-signed certificates from trusted remote hosts. Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). ZyWALL P1 User’s Guide...
Page 242: My Certificates
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
Page 243: My Certificate Details
You can use this screen to view in-depth certificate information and change the certificate’s name. If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates. ZyWALL P1 User’s Guide...
Page 244: Figure 156 Security > Certificates > My Certificates > Details
This certificates. automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates. ZyWALL P1 User’s Guide...
Page 245 Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. ZyWALL P1 User’s Guide...
Page 246: My Certificate Export
The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL. ZyWALL P1 User’s Guide...
Page 247: My Certificate Import
• You must remove any spaces from the certificate’s filename before you can import it. 14.8.1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: ZyWALL P1 User’s Guide...
Page 248: Figure 158 Security > Certificates > My Certificates > Import
Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL P1 User’s Guide...
Page 249: My Certificate Create
Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL P1 User’s Guide...
Page 250: Figure 160 Security > Certificates > My Certificates > Create
ZyWALL drops trailing spaces. Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces. ZyWALL P1 User’s Guide...
Page 251 SCEP enrollment protocol. Type the key that the certification authority gave you. Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL P1 User’s Guide...
Page 252: Trusted Cas
When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. ZyWALL P1 User’s Guide...
Page 253: Trusted Ca Details
ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL P1 User’s Guide...
Page 254: Figure 162 Security > Certificates > Trusted Cas > Details
Certificate Revocation List (CRL). certificates issued Clear this check box to have the ZyWALL not check incoming certificates that by this CA against a are issued by this certification authority against a Certificate Revocation List (CRL). ZyWALL P1 User’s Guide...
Page 255 This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. ZyWALL P1 User’s Guide...
Page 256: Trusted Ca Import
ZyWALL. The ZyWALL trusts any valid certificate signed by any of the imported trusted CA certificates. You must remove any spaces from the certificate’s filename before you can import the certificate. ZyWALL P1 User’s Guide...
Page 257: Trusted Remote Hosts
You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy. ZyWALL P1 User’s Guide...
Page 258: Figure 164 Security > Certificates > Trusted Remote Hosts
Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates. ZyWALL P1 User’s Guide...
Page 259: Trusted Remote Hosts Import
Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. ZyWALL P1 User’s Guide...
Page 260: Trusted Remote Host Certificate Details
Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name. Figure 166 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ZyWALL P1 User’s Guide...
Page 261: Table 79 Security > Certificates > Trusted Remote Hosts > Details
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. ZyWALL P1 User’s Guide...
Page 262: Directory Servers
Points field of the incoming certificate. If the certificate does not list a server or the listed server is not available, the ZyWALL checks the servers listed here. Figure 167 SECURITY > CERTIFICATES > Directory Servers ZyWALL P1 User’s Guide...
Page 263: Directory Server Add Or Edit
Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure information about a directory server that the ZyWALL can access. Figure 168 SECURITY > CERTIFICATES > Directory Server > Add ZyWALL P1 User’s Guide...
Page 264: Table 81 Security > Certificates > Directory Server > Add
Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen. At the time of writing, LDAP is the only choice of directory server access protocol. ZyWALL P1 User’s Guide...
Page 265: Authentication Server
RADIUS. 15.1.2.1 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject ZyWALL P1 User’s Guide...
Page 266: Local User Database
ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL’s list of user profiles. Figure 169 SECURITY > AUTH SERVER > Local User Database ZyWALL P1 User’s Guide...
Page 267: Radius
Enter the IP address of the external authentication server in dotted decimal notation. Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. ZyWALL P1 User’s Guide...
Page 268 The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 269: Advanced
Advanced Network Address Translation (NAT) (271) Static Route (287) Remote Management (291) UPnP (313) ALG Screen (323)
Page 271: Network Address Translation (Nat)
This refers to the host on the WAN. Local This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. ZyWALL P1 User’s Guide...
Page 272: What Nat Does
Internet. The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. Figure 171 How NAT Works ZyWALL P1 User’s Guide...
Page 273: Nat Application
ZyWALL will perform NAT on them and send them to the server at IP address 1, port A. Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A. ZyWALL P1 User’s Guide...
Page 274: Nat Mapping Types
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (that is, PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Page 275: Using Nat
IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA or Full Feature in NAT Overview. Selecting SUA means (latent) multiple WAN-to-LAN address translation. 16.3 NAT Overview Screen Click ADVANCED > NAT to open the NAT Overview screen. ZyWALL P1 User’s Guide...
Page 276: Figure 174 Advanced > Nat > Nat Overview
The bar displays how many of the ZyWALL's possible address mapping rules are configured. The first number shows how many address mapping rules are configured on the ZyWALL. The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL. ZyWALL P1 User’s Guide...
Page 277: Nat Address Mapping
9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. ZyWALL P1 User’s Guide...
Page 278: Figure 175 Advanced > Nat > Address Mapping
One-to-One and Server mapping types. Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types. ZyWALL P1 User’s Guide...
Page 279: Nat Address Mapping Edit
One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (that is, PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 280: Port Forwarding
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (that is, PAT, port address translation), ZyXEL's Single User Account feature. 3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Page 281: Management Setup
WAN IP address. When you use port translation with port forwarding, multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address. ZyWALL P1 User’s Guide...
Page 282: Port Forwarding Screen
The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN encapsulation to Ethernet and the Service Type to something other than Standard. ZyWALL P1 User’s Guide...
Page 283: Figure 179 Advanced > Nat > Port Forwarding
For a range of ports, you only need to enter the first number of the range to which you want the incoming ports translated, the ZyWALL automatically calculates the last port of the translated port range. Server IP Enter the inside IP address of the server here. Address ZyWALL P1 User’s Guide...
Page 284: Port Triggering
5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). ZyWALL P1 User’s Guide...
Page 285: Figure 181 Advanced > Nat > Port Triggering
End Port Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 286 Chapter 16 Network Address Translation (NAT) ZyWALL P1 User’s Guide...
Page 287: Static Route
The first static route entry is for the default WAN route. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. ZyWALL P1 User’s Guide...
Page 288: Ip Static Route Edit
17.2.1 IP Static Route Edit Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route. ZyWALL P1 User’s Guide...
Page 289: Figure 184 Advanced > Static Route > Ip Static Route > Edit
Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL P1 User’s Guide...
Page 290 Chapter 17 Static Route ZyWALL P1 User’s Guide...
Page 291: Remote Management
You may only have one remote management session running at a time. The ZyWALL automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows. 1 SSH 2 Telnet ZyWALL P1 User’s Guide...
Page 292: Remote Management Limitations
CA that is a trusted CA on the ZyWALL. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). ZyWALL P1 User’s Guide...
Page 293: Www Configuration
Figure 186 HTTPS Implementation If you disable the HTTP service in the REMOTE MGMT > WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 WWW Configuration Click ADVANCED > REMOTE MGMT to open the WWW screen. ZyWALL P1 User’s Guide...
Page 294: Figure 187 Advanced > Remote Mgmt > Www
ZyWALL using this service. HTTP Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. ZyWALL P1 User’s Guide...
Page 295: Https Example
When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. ZyWALL P1 User’s Guide...
Page 296: Avoiding The Browser Warning Messages
ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self- signed certificate. • For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate. ZyWALL P1 User’s Guide...
Page 297: Login Screen
After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom right of the browser status bar denotes a secure connection. Figure 191 Example: Lock Denoting a Secure Connection) Click Login and you then see the next screen. ZyWALL P1 User’s Guide...
Page 298: Figure 192 Replace Certificate
Certificates screen. You will see information similar to that shown in the following figure. Figure 193 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. ZyWALL P1 User’s Guide...
Page 299: Ssh
A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 195 SSH Communication Over the WAN Example 18.6 How SSH Works The following table summarizes how a secure connection is established between two remote hosts. ZyWALL P1 User’s Guide...
Page 300: Ssh Implementation On The Zywall
22. Only one SSH connection is allowed at a time. 18.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. ZyWALL P1 User’s Guide...
Page 301: Configuring Ssh
Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 302: Secure Telnet Using Ssh Examples
22 on the ZyWALL (using the default IP address of 192.168.167.1). A message displays indicating the SSH protocol version supported by the ZyWALL. Figure 199 SSH Example 2: Test $ telnet 192.168.167.1 22 Trying 192.168.167.1... Connected to 192.168.167.1. Escape character is '^]'. SSH-1.5-1.0.0 ZyWALL P1 User’s Guide...
Page 303: Secure Ftp Using Ssh Example
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.167.1' (RSA1) to the list of known hosts. Administrator@192.168.167.1's password: sftp> put firmware.bin ras Uploading firmware.bin to /ras Read from remote host 192.168.167.1: Connection reset by peer Connection closed ZyWALL P1 User’s Guide...
Page 304: Telnet
Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 305: Telnet Login
The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 203 ADVANCED > REMOTE MGMT > FTP ZyWALL P1 User’s Guide...
Page 306: Snmp
ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. SNMP is only available if TCP/IP is configured. ZyWALL P1 User’s Guide...
Page 307: Supported Mibs
• Trap - Used by the agent to inform the manager of some events. 18.15.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. ZyWALL P1 User’s Guide...
Page 308: Snmp Traps
18.15.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. Figure 205 ADVANCED > REMOTE MGMT > SNMP ZyWALL P1 User’s Guide...
Page 309: Dns
Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL’s DNS settings. This feature is not available when the ZyWALL is set to bridge mode. ZyWALL P1 User’s Guide...
Page 310: Introducing Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not configure the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 311: Figure 207 Advanced > Remote Mgmt > Cnm
Vantage CNM server. Refresh Click Refresh to update the registration status and last registration time. Vantage CNM Setup Enable Select this check box to allow Vantage CNM to manage your ZyWALL. ZyWALL P1 User’s Guide...
Page 312 LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
Page 313: Upnp
The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. ZyWALL P1 User’s Guide...
Page 314: Upnp And Zyxel
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 19.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
Page 315: Displaying Upnp Port Mapping
ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port. When this field displays an external IP address, the NAT rule has the ZyWALL forward inbound packets to the Internal Client from that IP address only. ZyWALL P1 User’s Guide...
Page 316: Installing Upnp In Windows Example
Click Apply to save your changes back to the ZyWALL. Refresh Click Refresh update the screen’s table. 19.4 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. ZyWALL P1 User’s Guide...
Page 317: Installing Upnp In Windows Me
3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next. 5 Restart the computer when prompted. ZyWALL P1 User’s Guide...
Page 318: Installing Upnp In Windows Xp
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Page 319: Auto-Discover Your Upnp-Enabled Network Device
2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. window, click Settings to see the port mappings that were automatically created. ZyWALL P1 User’s Guide...
Page 320: Web Configurator Easy Access
19.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 321 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL P1 User’s Guide...
Page 322 Chapter 19 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL P1 User’s Guide...
Page 323: Alg Screen
ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through. ZyWALL P1 User’s Guide...
Page 324: Ftp
• You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 210 H.323 ALG Example ZyWALL P1 User’s Guide...
Page 325: Figure 211 H.323 With Multiple Wan Ip Addresses
Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 212 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. ZyWALL P1 User’s Guide...
Page 326: Sip
20.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. ZyWALL P1 User’s Guide...
Page 327: Sip Audio Session Timeout
ZyWALL SIP timeout (default 60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 328 Chapter 20 ALG Screen ZyWALL P1 User’s Guide...
Page 329: Reports, Logs And Maintenance
Reports, Logs and Maintenance Reports (331) Logs (341) Maintenance (365)
Page 331: Reports
The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. ZyWALL P1 User’s Guide...
Page 332: Figure 215 Reports > System Reports
IP addresses. Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. Flush Click Flush to discard the old report data and update the report display. ZyWALL P1 User’s Guide...
Page 333: Viewing Web Site Hits
ZyWALL counts each page viewed in a web site as another hit on the web site. Hits This column lists how many times each web site has been visited. The count starts over at 0 if a web site passes the hit count limit (see Table 108 on page 336). ZyWALL P1 User’s Guide...
Page 334: Viewing Host Ip Address
LAN IP address. The count starts over at 0 if the total traffic sent to and from a LAN IP address passes the bytes count limit (see Table 108 on page 336). ZyWALL P1 User’s Guide...
Page 335: Viewing Protocol/Port
The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 108 on page 336). ZyWALL P1 User’s Guide...
Page 336: System Reports Specifications
0 if it passes 2 bytes. 21.3 IDP Threat Reports Screen Click REPORTS > THREAT REPORTS to display the Threat Reports IDP screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 219 REPORTS > THREAT REPORTS > IDP ZyWALL P1 User’s Guide...
Page 337: Table 109 Reports > Threat Reports > Idp
ZyWALL may have collected while you had the screen open. The report also refreshes automatically when you close and reopen the screen. Flush Click Flush to discard the report data and restart collecting statistics. The statistics display as follows when you display the top entries by source. ZyWALL P1 User’s Guide...
Page 338: Anti-Virus Threat Reports Screen
Figure 221 REPORTS > THREAT REPORTS > IDP > Destination 21.4 Anti-Virus Threat Reports Screen Click REPORTS > THREAT REPORTS > Anti-Virus to display the Threat Reports Anti-Virus screen. This screen displays anti-virus statistics. Figure 222 REPORTS > THREAT REPORTS > Anti-Virus ZyWALL P1 User’s Guide...
Page 339: Figure 223 Reports > Threat Reports > Anti-Virus > Source
The statistics display as follows when you display the top entries by source. Figure 223 REPORTS > THREAT REPORTS > Anti-Virus > Source The statistics display as follows when you display the top entries by destination. ZyWALL P1 User’s Guide...
Page 340: Figure 224 Reports > Threat Reports > Anti-Virus > Destination
Chapter 21 Reports Figure 224 REPORTS > THREAT REPORTS > Anti-Virus > Destination ZyWALL P1 User’s Guide...
Page 341: Logs
Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Log Settings, see Section 22.3 on page 343). Refresh Click Refresh to renew the log screen. ZyWALL P1 User’s Guide...
Page 342: Log Description Example
CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server. The ZyWALL will generate a log like "Due to error code(11), cert not trusted: SSL/TLS peer certif..." for every time it attempt to establish a (HTTPS) connection with myZyXEL.com and ZyWALL P1 User’s Guide...
Page 343: Configuring Log Settings
Figure 226 myZyXEL.com: Download Center 3 Click the link in the Certificate Download screen. Figure 227 myZyXEL.com: Certificate Download 22.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. ZyWALL P1 User’s Guide...
Page 344 Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent. ZyWALL P1 User’s Guide...
Page 345: Figure 228 Logs > Log Settings
Chapter 22 Logs Figure 228 LOGS > Log Settings ZyWALL P1 User’s Guide...
Page 346: Table 113 Logs > Log Settings
Refer to the documentation of your syslog program for more details. Active Log and Alert Select the categories of logs that you want to record. Logs include alerts. ZyWALL P1 User’s Guide...
Page 347: Log Descriptions
Time initialized by Daytime Server The router got the time and date from the time server. Time initialized by Time server The router got the time and date from the NTP server. Time initialized by NTP server ZyWALL P1 User’s Guide...
Page 348: Table 115 System Error Logs
The router failed to allocate memory for the NetBIOS filter setNetBIOSFilter: calloc settings. error The router failed to allocate memory for the NetBIOS filter readNetBIOSFilter: calloc settings. error A WAN connection is down. You cannot access the network WAN connection is down. through this interface. ZyWALL P1 User’s Guide...
Page 349: Table 116 Access Control Logs
The router sent a TCP reset packet when a TCP connection state Peer TCP state out of was out of order.Note: The firewall refers to RFC793 Figure 6 to order, sent TCP RST check the TCP state. ZyWALL P1 User’s Guide...
Page 350: Table 118 Packet Filter Logs
The firewall does not support this kind of ICMP packets Unsupported/out-of-order ICMP: or the ICMP packets are out of order. ICMP The router sent an ICMP reply packet to the sender. Router reply ICMP packet: ICMP ZyWALL P1 User’s Guide...
Page 351: Table 120 Cdr Logs
ICMP (type:%d, code:%d) The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land land [ TCP | UDP | IGMP | attack. ESP | GRE | OSPF ] The firewall detected an ICMP land attack. land ICMP (type:%d, code:%d) ZyWALL P1 User’s Guide...
Page 352 IP address. It maybe a bounce attack. The fragment packet size is smaller than the MTU size of output Fragment packet size is interface. smaller than the MTU size of output interface. ZyWALL P1 User’s Guide...
Page 353: Table 124 Remote Management Logs
“0.0.0.0” when the WAN IP address changed. Please check the algorithm configuration. Inbound packet decryption failed A packet matches a rule, but there is no phase 2 SA for outbound Cannot find outbound SA traffic. for rule <%d> ZyWALL P1 User’s Guide...
Page 354: Table 127 Ike Logs
A packet was sent. IKE uses ISAKMP to transmit data. Each Send <packet> ISAKMP packet contains many different types of payloads. All of them show in the log. Refer to Table 135 on page 364 for a list of ISAKMP payload types. ZyWALL P1 User’s Guide...
Page 355 Rule [%d] Phase 1 encryption match between the router and the peer. algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not Rule [%d] Phase 1 match between the router and the peer. authentication algorithm mismatch ZyWALL P1 User’s Guide...
Page 356 [%s] is changed to %s" The IP address for the domain name of the ZyWALL in the New My ZyWALL Addr in rule listed rule changed to the listed IP address. [%s] is changed to %s ZyWALL P1 User’s Guide...
Page 357: Table 128 Pki Logs
Rcvd data <size> too from the LDAP server whose address and port are recorded in the large! Max size Source field. The maximum size of directory data that the router allows allowed: <max size> is also recorded. ZyWALL P1 User’s Guide...
Page 358 CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. Path was not verified. Maximum path length reached. ZyWALL P1 User’s Guide...
Page 359: Table 129 802.1X Logs
DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN. ZyWALL P1 User’s Guide...
Page 360: Table 131 Icmp Notes
Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message ZyWALL P1 User’s Guide...
Page 361: Table 132 Idp Logs
“ID” Virus ID number, virus name, filename. For example, infected - %s! ID:30001,CIH.Win95,/game.exe. The device detected a virus in a SMTP connection. The format of %s is SMTP Virus infected “ID” Virus ID number, virus name, filename. For example, - %s! ID:30001,CIH.Win95,/game.exe. ZyWALL P1 User’s Guide...
Page 362 The device updated the signature file successfully. Update the signature file successfully. The device is updating the signature file. The system is doing signature update now , please wait! ZyWALL P1 User’s Guide...
Page 363: Syslog Logs
The definition of ob="<0|1>" ob_mac="<mac messages and notes are defined in the other log tables. OB address>" msg="<msg>" is the Out Break flag and the mac address of the Out Break note="<note>" devID="<mac address>" cat="<category>" ZyWALL P1 User’s Guide...
Page 364: Table 135 Rfc-2408 Isakmp Payload Types
RFC for detailed information on each type. Table 135 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID ZyWALL P1 User’s Guide...
Page 365: Maintenance
Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name. 23.3 General Setup Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information. ZyWALL P1 User’s Guide...
Page 366: Figure 229 Maintenance > General Setup
An FQDN starts with a host name and continues all the way up to the top-level domain name. In the example, www.mydevice.com, “www” is the host, “mydevicel” is the second-level domain, and “com” is the top level domain. ZyWALL P1 User’s Guide...
Page 367: Configuring Password
(*) for each character you type. Retype to Confirm Type the new password again for confirmation. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 368: Brute-Force Password Guessing Protection
ZyWALL. To change your ZyWALL’s time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone. ZyWALL P1 User’s Guide...
Page 369: Figure 231 Maintenance > Time And Date
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. ZyWALL P1 User’s Guide...
Page 370 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 371: Pre-Defined Ntp Time Server Pools
When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 232 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. ZyWALL P1 User’s Guide...
Page 372: Introduction To Transparent Bridging
The bridge gradually builds a host MAC-address-to-port mapping table such as in the following example, during the learning process. Table 140 MAC-address-to-port Mapping Table HOST MAC PORT ADDRESS 00a0c5123456 00a0c5123478 (host A) 1 00a0c512349a 00a0c51234bc 00a0c51234de ZyWALL P1 User’s Guide...
Page 373: Transparent Firewalls
ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. ZyWALL P1 User’s Guide...
Page 374: Figure 235 Maintenance > Device Mode (Router Mode)
Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the IP Address field to access the ZyWALL again. Reset Click Reset to begin configuring this screen afresh. ZyWALL P1 User’s Guide...
Page 375: Configuring Device Mode (Bridge)
LAN Interface IP Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. Address 192.168.167.1 is the factory default. LAN Interface Enter the IP subnet mask of the ZyWALL’s LAN port. Subnet Mask ZyWALL P1 User’s Guide...
Page 376: Configuring Device Mode (Zero Configuration)
ZyWALL. • The basic screens let you configure Internet access settings, enable or disable IDP and anti-virus (and update the signatures) and view the logs. • You must log in to use the advanced screens. ZyWALL P1 User’s Guide...
Page 377: Network Conflict Avoidance
Select this radio button and click Apply to set the ZyWALL to router mode. LAN Interface IP Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. Address 192.168.167.1 is the factory default. ZyWALL P1 User’s Guide...
Page 378: Firmware And Configuration File Maintenance
The firmware determines the device’s available features and functionality. You can download new firmware releases from your nearest ZyXEL FTP site (or www.zyxel.com) to use to upgrade your device’s performance.
Page 379: Filename Conventions
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Page 380: F/W Upload Screen
Chapter 23 Maintenance 23.17 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 381: Backup And Restore
23.18 Backup and Restore See later in this chapter for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. ZyWALL P1 User’s Guide...
Page 382: Backup Configuration
Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL P1 User’s Guide...
Page 383: Back To Factory Defaults
Figure 245 Configuration Upload Error 23.18.3 Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears. ZyWALL P1 User’s Guide...
Page 384: Using Ftp Or Tftp To Back Up Configuration
230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit ZyWALL P1 User’s Guide...
Page 385: Configuration Backup Using Gui-Based Ftp Clients
For UNIX, use “ ” to transfer from the ZyWALL to the computer and “binary” to set binary transfer mode. 23.19.5 TFTP Command Configuration Backup Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom ZyWALL P1 User’s Guide...
Page 386: Configuration Backup Using Gui-Based Tftp Clients
FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR device. When the restore configuration process is complete, the device will automatically restart. ZyWALL P1 User’s Guide...
Page 387: Restore Using Ftp Session Example
Likewise “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. 7 Enter “quit” to exit the ftp prompt. ZyWALL P1 User’s Guide...
Page 388: Ftp Session Example Of Firmware File Upload
TFTP client program. For UNIX, use “get” to transfer from the ZyWALL to the computer, “put” the other way around, and “binary” to set binary transfer mode. 23.21.4 TFTP Upload Command Example The following is an example TFTP command: tftp [-i] host put firmware.bin ras ZyWALL P1 User’s Guide...
Page 389: Restart Screen
System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot. Restart is different to reset; (see Section 23.18.3 on page 383) reset returns the device to its default configuration. Figure 250 MAINTENANCE > Restart ZyWALL P1 User’s Guide...
Page 390 Chapter 23 Maintenance ZyWALL P1 User’s Guide...
Page 391: Zero Configuration And Troubleshooting
Zero Configuration Troubleshooting Zero Configuration Screens (393) Troubleshooting (403)
Page 393: Zero Configuration Screens
Alternatively, if you have enabled the management FQDN (Fully Qualified Domain Name), you can use the management domain name to access the ZyWALL from the LAN (see Section 23.3 on page 365 for details). 4 The INTERNET ACCESS screen displays. Figure 251 INTERNET ACCESS ZyWALL P1 User’s Guide...
Page 394: Internet Access
For the WAN port the port speed and duplex setting display if you’re using Ethernet encapsulation and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation. ZyWALL P1 User’s Guide...
Page 395: Isp Parameters
WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number. Choose Ethernet when the WAN port is used as a regular Ethernet. Figure 253 INTERNET ACCESS (Ethernet Encapsulation) ZyWALL P1 User’s Guide...
Page 396: Table 150 Internet Access (Ethernet Encapsulation)
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. ZyWALL P1 User’s Guide...
Page 397: Figure 254 Internet Access (Pppoe Encapsulation)
Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignment ZyWALL P1 User’s Guide...
Page 398 Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. ZyWALL P1 User’s Guide...
Page 399: Figure 255 Internet Access (Pptp Encapsulation)
Type the user name given to you by your ISP. Password Type the password associated with the User Name above. Retype to Confirm Type your password again for confirmation. Nailed-Up Select Nailed-Up if you do not want the connection to time out. ZyWALL P1 User’s Guide...
Page 400: Security
Click Reset to begin configuring this screen afresh. 24.3 SECURITY Click SECURITY to display this screen. Use this screen to enable or disable the ZyWALL’s IDP and anti-virus features and update the IDP signatures and anti-virus patterns file. Figure 256 SECURITY ZyWALL P1 User’s Guide...
Page 401: Logs
Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 257 LOGS ZyWALL P1 User’s Guide...
Page 402: Table 154 Logs
This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet. Note This field displays additional information about the log entry. ZyWALL P1 User’s Guide...
Page 403: Troubleshooting
2 Check the hardware connections. See the Quick Start Guide. 3 Inspect your cables for damage. Contact the vendor to replace any damaged cables. 4 Disconnect and re-connect the power adaptor to the ZyWALL. 5 If the problem continues, contact the vendor. ZyWALL P1 User’s Guide...
Page 404: Zywall Access And Login
5 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address. See Section 25.6 on page 409. 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. ZyWALL P1 User’s Guide...
Page 405: Configuration File
See the troubleshooting suggestions for "I cannot see or access the Login screen in the web configurator." on page 404. Ignore the suggestions about your browser. Also see Section 18.1.1 on page 292 for conditions that block remote management sessions. ZyWALL P1 User’s Guide...
Page 406: Internet Access
[Caps Lock] is not on. 3 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 4 If the problem continues, contact your ISP. ZyWALL P1 User’s Guide...
Page 407 IP addresses. Configure a many-to-many NAT rule to map the public IP addresses to the LAN IP addresses of the users that want to use the game server. See Chapter 16 on page 271 for details about NAT. ZyWALL P1 User’s Guide...
Page 408: Voip
LOGS > Log Settings and make sure IKE and IPSec logging is enabled at both ends. Then clear the log and re-attempt to build the tunnel. • The network policy must use Tunnel if there is a NAT router between the IPSec routers. ZyWALL P1 User’s Guide...
Page 409: Resetting The Zywall To Its Factory Defaults
LAN to WAN: LAN Data and Call Filtering -> Firewall -> IDP -> Anti-Virus -> Remote Node Data Filtering -> NAT WAN to LAN: Remote Node Data Filtering -> NAT -> Firewall -> IDP -> Anti-Virus -> LAN Data Filtering ZyWALL P1 User’s Guide...
Page 410 Chapter 25 Troubleshooting ZyWALL P1 User’s Guide...
Page 411: Part Vii: Appendices And Index
Appendices and Index Product Specifications (413) Setting up Your Computer’s IP Address (419) Pop-up Windows, JavaScripts and Java Permissions (435) IP Addresses and Subnetting (441) Common Services (449) Windows 98 SE/Me Requirements for Anti-Virus Message Display (453) Importing Certificates (457) Command Interpreter (467) NetBIOS Filter Commands (473) Legal Information (475)
Page 413: Appendix A Product Specifications
Only upload firmware for your specific model! Table 156 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.167.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 Default DHCP Pool Starting 192.168.167.33 Address Maximum DHCP Pool Size ZyWALL P1 User’s Guide...
Page 414 Use the web configurator to easily configure the rich range of features on the ZyWALL. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
Page 415: Table 157 Performance
FEATURE DESCRIPTION Firewall You can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.
Page 416: Table 158 Feature Specifications
Table 160 AC Power Adaptor Specifications AC Power Adapter model MU12-2050150-C5 Input power: 100 to 240 Volts AC (VAC), 60/50 Hz, maximum 0.5 A at 100 VAC Output power: 5 Volts DC, maximum 1.5 A Power consumption: 7.5 W ZyWALL P1 User’s Guide...
Page 417 Appendix A Product Specifications Table 160 AC Power Adaptor Specifications (continued) Plug: North American standards Safety standards: UL, CE ZyWALL P1 User’s Guide...
Page 418 Appendix A Product Specifications ZyWALL P1 User’s Guide...
Page 419: Appendix B Setting Up Your Computer's Ip Address
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. ZyWALL P1 User’s Guide...
Page 420: Figure 258 Windows 95/98/Me: Network: Configuration
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. ZyWALL P1 User’s Guide...
Page 421: Figure 259 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyWALL P1 User’s Guide...
Page 422: Figure 260 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. ZyWALL P1 User’s Guide...
Page 423: Figure 261 Windows Xp: Start Menu
Figure 261 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 262 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL P1 User’s Guide...
Page 424: Figure 263 Windows Xp: Control Panel: Network Connections: Properties
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. ZyWALL P1 User’s Guide...
Page 425: Figure 265 Windows Xp: Internet Protocol (Tcp/Ip) Properties
To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. ZyWALL P1 User’s Guide...
Page 426: Figure 266 Windows Xp: Advanced Tcp/Ip Properties
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. ZyWALL P1 User’s Guide...
Page 427: Figure 267 Windows Xp: Internet Protocol (Tcp/Ip) Properties
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. ZyWALL P1 User’s Guide...
Page 428: Figure 268 Macintosh Os 8/9: Apple Menu
2 Select Ethernet built-in from the Connect via list. Figure 269 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. ZyWALL P1 User’s Guide...
Page 429: Figure 270 Macintosh Os X: Apple Menu
2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. ZyWALL P1 User’s Guide...
Page 430: Figure 271 Macintosh Os X: Network
Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. ZyWALL P1 User’s Guide...
Page 431: Figure 272 Red Hat 9.0: Kde: Network Configuration: Devices
Figure 272 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 273 Red Hat 9.0: KDE: Ethernet Device: General ZyWALL P1 User’s Guide...
Page 432: Figure 274 Red Hat 9.0: Kde: Network Configuration: Dns
Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. • If you have a dynamic IP address, enter in the field. The dhcp BOOTPROTO= following figure shows an example. ZyWALL P1 User’s Guide...
Page 433: Figure 276 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Figure 279 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] ZyWALL P1 User’s Guide...
Page 434: Figure 280 Red Hat 9.0: Checking Tcp/Ip Properties
Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# ZyWALL P1 User’s Guide...
Page 435: Appendix C Pop-Up Windows, Javascripts And Java Permissions
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 281 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyWALL P1 User’s Guide...
Page 436: Figure 282 Internet Options: Privacy
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. ZyWALL P1 User’s Guide...
Page 437: Figure 283 Internet Options: Privacy
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 284 Pop-up Blocker Settings ZyWALL P1 User’s Guide...
Page 438: Figure 285 Internet Options: Security
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. ZyWALL P1 User’s Guide...
Page 439: Figure 286 Security Settings - Java Scripting
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 287 Security Settings - Java ZyWALL P1 User’s Guide...
Page 440: Figure 288 Java (Sun)
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 288 Java (Sun) ZyWALL P1 User’s Guide...
Page 441: Appendix D Ip Addresses And Subnetting
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyWALL P1 User’s Guide...
Page 442: Figure 289 Network Number And Host Id
Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. ZyWALL P1 User’s Guide...
Page 443: Table 162 Subnet Masks
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 164 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 ZyWALL P1 User’s Guide...
Page 444: Figure 290 Subnetting Example: Before Subnetting
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. ZyWALL P1 User’s Guide...
Page 445: Figure 291 Subnetting Example: After Subnetting
LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.1 192.168.1.0 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 ZyWALL P1 User’s Guide...
Page 446: Table 166 Subnet 2
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 169 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS ZyWALL P1 User’s Guide...
Page 447: Table 170 24-Bit Network Number Subnet Planning
255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 ZyWALL P1 User’s Guide...
Page 448: Configuring Ip Addresses
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. ZyWALL P1 User’s Guide...
Page 449: Appendix E Common Services
IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL P1 User’s Guide...
Page 450 This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. ZyWALL P1 User’s Guide...
Page 451 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL P1 User’s Guide...
Page 452 Appendix E Common Services ZyWALL P1 User’s Guide...
Page 453: Appendix F Windows 98 Se/Me Requirements For Anti-Virus Message Display
Windows 98 SE: WinPopup If you want to display the WinPopup window at startup, follow the steps below for Windows 98 SE (steps are similar for Windows Me). 1 Right-click on the program task bar and click Properties. ZyWALL P1 User’s Guide...
Page 454: Figure 293 Windows 98 Se: Program Task Bar
Figure 293 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 294 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. ZyWALL P1 User’s Guide...
Page 455: Figure 295 Windows 98 Se: Startup
5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 296 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. ZyWALL P1 User’s Guide...
Page 456: Figure 297 Windows 98 Se: Startup: Select A Title For The Program
7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 298 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 292 on page 453). ZyWALL P1 User’s Guide...
Page 457: Appendix G Importing Certificates
The following example procedure shows how to import the ZyWALL’s (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in the following screen. ZyWALL P1 User’s Guide...
Page 458: Figure 300 Login Screen
Appendix G Importing Certificates Figure 300 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 301 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL P1 User’s Guide...
Page 459: Figure 302 Certificate Import Wizard 1
Appendix G Importing Certificates Figure 302 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 303 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL P1 User’s Guide...
Page 460: Figure 304 Certificate Import Wizard 3
Appendix G Importing Certificates Figure 304 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 305 Root Certificate Store ZyWALL P1 User’s Guide...
Page 461: Figure 306 Certificate General Information After Import
You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA web configurator screen). ZyWALL P1 User’s Guide...
Page 462: Figure 307 Zywall Trusted Ca Screen
The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL P1 User’s Guide...
Page 463: Figure 308 Ca Certificate Example
Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 309 Personal Certificate Import Wizard 1 ZyWALL P1 User’s Guide...
Page 464: Figure 310 Personal Certificate Import Wizard 2
3 Enter the password given to you by the CA. Figure 311 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. ZyWALL P1 User’s Guide...
Page 465: Figure 312 Personal Certificate Import Wizard 4
5 Click Finish to complete the wizard and begin the import process. Figure 313 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 314 Personal Certificate Import Wizard 6 ZyWALL P1 User’s Guide...
Page 466: Figure 315 Access The Zywall Via Https
ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 316 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 317 ZyWALL Secure Login Screen ZyWALL P1 User’s Guide...
Page 467: Appendix H Command Interpreter
The following describes how to use the command interpreter. See Section 18.13 on page 305 for how to log into the command interpreter. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Page 468: Figure 318 Displaying Log Categories Example
• Use the command to show the logs in an sys logs display [log category] individual ZyWALL log category. • Use the command to erase all of the ZyWALL’s logs. sys logs clear ZyWALL P1 User’s Guide...
Page 469: Figure 320 Routing Command Example
The following command example sets the ZyWALL to route traffic that does not match a NAT rule through the LAN interface. Figure 320 Routing Command Example ras> ip nat routing 2 0 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: yes ZyWALL P1 User’s Guide...
Page 470 ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B. ZyWALL P1 User’s Guide...
Page 471: Figure 321 Backup Gateway
• Use the first line to start editing the VPN rule. • The second line sets VPN rule one to use 192 bit AES for the phase 2 encryption. • The third line displays the results. ZyWALL P1 User’s Guide...
Page 472: Figure 322 Routing Command Example
Enable Replay Detection= No Key Management= IKE Phase 2 - Active Protocol= ESP Encryption Algorithm= AES Authentication Algorithm= SHA1 Encryption Key Length = 192 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None ras> ZyWALL P1 User’s Guide...
Page 473: Appendix I Netbios Filter Commands
The filter types and their default settings are as follows. Table 173 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. ZyWALL P1 User’s Guide...
Page 474: Netbios Filter Configuration
This command blocks LAN to WAN and WAN to LAN NetBIOS sys filter netbios config 0 on packets. This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off ZyWALL P1 User’s Guide...
Page 475: Appendix J Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 476: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 477 Appendix J Legal Information ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
Page 478 Appendix J Legal Information ZyWALL P1 User’s Guide...
Page 479: Appendix K Customer Support
• Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 480 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-0 •...
Page 481 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 482 Appendix K Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
Page 483: Index
Auth Server infection and prevention authentication types authentication algorithms 206, 212 configuration backup and active protocol configuration file Authentication Header. See AH. configuration restore avoiding network conflict 220, 377 contact information copyright custom ports customer support ZyWALL P1 User’s Guide...
Page 484 WAN e-Mule troubleshooting Encapsulating Security Payload. See ESP. FTP restrictions encapsulation Fully Qualified Domain Name and active protocol See FQDN. Ethernet 62, 395 PPPoE 63, 396 PPTP 64, 398 transport mode tunnel mode ZyWALL P1 User’s Guide...
Page 485 ISP parameters 62, 395 IP address, ZyXEL Device local identity main mode 202, 209 NAT traversal negotiation mode password peer identity Java permissions pre-shared key JavaScripts proposal SA life time user name IKE SA. See also VPN. ZyWALL P1 User’s Guide...
Page 486 NAT works policy actions inside global address types inside local address policy query Many to Many No Overload Many to Many Overload Many to One policy severity mapping types levels One to One polymorphic virus ZyWALL P1 User’s Guide...
Page 487 Real time Transport Protocol. See RTP. router mode real-time alert message Routing Information Protocol. See RIP. registering your device RSTP registration product related documentation Remote Authentication Dial In User Service. See RADIUS. remote management 291, 292 how SSH works life time ZyWALL P1 User’s Guide...
Page 488 53, 121, 373, 375 stateful inspection firewall triangle routes static route vs. virtual interfaces stealth firewall trigger a VPN tunnel 87, 231 See transparent firewall. trojan horse 119, 120, 121 troubleshooting ZyWALL P1 User’s Guide...
Page 489 81, 91 vs. triangle routes virtual address mapping 219, 225 Virtual Private Network. See VPN. VPN application virus VPN. See also IKE SA, IPSec SA. attack life cycle scan VoIP troubleshooting 133, 201 ZyWALL P1 User’s Guide...
Page 490 109, 112 server wizard setup worm 173, 178, 189 Blaster SQL Slammer zero configuration ADVANCED screen INTERNET ACCESS screen 393, 394 mode 116, 220, 376, 393 SECURITY screen ZyNOS firmware version ZyXEL Network Operating System See ZyNOS. ZyWALL P1 User’s Guide...

ZyXEL Communications ZYWALL P1 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Tutorial

Chapter 5 Registration

Chapter 6 LAN Screens

Chapter 7 Bridge Screens

Chapter 8 WAN Screens

Chapter 9 Firewall

Chapter 10 Intrusion Detection and Prevention (IDP)

Chapter 11 Configuring IDP

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZYWALL P1

Summary of Contents for ZyXEL Communications ZYWALL P1