Page 1 ZyWALL 35 Security Appliance Support Notes Version 4.03 Sep. 2007...
Page 2: Table Of Contents
How to configure Security policy (AV/IDP/AS) over VPN ..152 How to configure Web filtering rule over VPN – Content Filter154 ZyWALL vs 3rd Party VPN Gateway ............155 SonicWALL with ZyWALL VPN Tunneling......155 NetScreen with ZyWALL VPN Tunneling ........164 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 3 Internet? If possible, how?............283 A14. What DHCP capability does the ZyWALL support?....283 A15. What are the capability of wireless feature of ZyWALL.....283 A16. What is the coverage range of Wireless in ZyWALL?....283 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 4 B05. What happened if I upgrade a ZyWALL 70 running ZyNOS v3.62/3.63/3.64 to v4.01 directly?............290 B06. I am a 32MB ZyWALL 70 owner, how can I upgrade to ZyNOS v4.01 having AV+IDP and AS features? ..........290 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 5 ZyNOS v4.01? ........291 B11. What’s the downgrade procedure of ZyWALL 70 running ZyNOS v4.01?...................291 B12. Can I downgrade a ZyWALL 5 or ZyWALL 35 running ZyNOS v4.01 back to ZyNOS v3.64 (or below)?..........291 C. Turbo Card FAQ....................291 C01.
Page 6 E06. What kind of iCard should I buy?..........300 E07. If I violate the mappings described above, for example, using a silver iCard for ZyWALL 35 or ZyWALL 70, what will happen?..300 E08. Can I try the Content Filtering service for free? How long is the free trial period of Content Filtering service?........300...
Page 7 AV+IDP service; but what exactly I can benefit from the ZyWALL Turbo Card? .....................305 G06. How do I keep signatures of AV+IDP service updated? ....305 G07. How often does ZyXEL release signatures of AV+IDP security service?......................305 G08. Will the traffic coming in through the VPN tunnel also be scanned by Anti-Virus, IDP and Anti-Spam feature in ZyWALL ZyNOS v4.0?.....................305...
Page 8 I02. A customer already has her/his own exchange server including the Anti-Spam software from other vendors; is there any good reason for her/him to use ZyXEL’s Anti-Spam service in addition to the current solution? ....................308 I03. What happens when an email with large attachment in size, e.g.
Page 9 J22. How can I do if I find a WEB site is mis-categorized? ....314 J23. How many and what categories do you provide? ......314 J24. How does the ZyXEL content filtering handle dynamically generated sites? ..................315 J25. Does BlueCoat have more than one data center? Is the BlueCoat Web Filter geographically load balanced? ..........316...
Page 10 K21. What VPN software that has been tested with ZyWALL successfully?....................324 K22. Will ZyXEL support Secure Remote Management? ....324 K23. Does ZyWALL VPN support NetBIOS broadcast? .....324 K24. Is the host behind NAT allowed to use IPSec? ......324 K25. How do I configure ZyWALL with NAT for internal servers?...325 K26.
Page 11 L16. Will Self-signed certificate be erased if I reset to default configuration file? ..................332 L17. Will certificates stored in ZyXEL appliance be erased if I reset to default configuration file? ...............332 L18. What can I do prior to reset appliance's configuration? .....332 L19.
Page 12: Application Notes
If a router mode firewall is inserted into existing network, user may need to reassign the IP of all servers and hosts and related setting of applications. However, it may be a huge task to administrators. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 13 In the following section, we will explain how to configure ZyWALL as bridge firewall. Therefore, all hosts and servers can keep using the same IP as that of current network. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 14 Admin can activate the rule by clicking the ‘N’ as following picture. Then the rule will be activated right away. Step2. To change the device mode, go to MAINTENANCE >> Device Mode. Select ‘Bridge’ and All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 15 (like 210.242.82.X/24 in this example). In this way, admin doesn’t need to change his PC’s IP address when he wants to access Internet and ZyWALL’s web GUI at the same time.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 16 IP segment 210.242.82.0/24). Edit the firewall rule via Firewall >> Rule Summary and with packet direction: DMZ to LAN. And enter 210.242.82.2 as the source address and 210.242.82.31~34 as destination address. And then select the service and set the action for ‘Matched Packet’ to ‘BLOCK’. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 17: Internet Connection
ZyWALL to gain the Internet access. Step1. First of all, Select Home menu and click Internet Access Wizard to configure your WAN1 connection. Click “Internet Access” under Home >> Wizards for WAN 1 Quick Setup All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 18 These fields vary depending on what you select in the Encapsulation field. Fill them in with the information exactly as given by the ISP or network administrator. Following picture is an example while PPPoE is selected. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 19: Dhcp Server/Client/Relay + Flexible Port Role Configuration
WLAN ports. Besides, since v4.0, ZyWALL also support flexible port role setting. With these 2 features, admin can take advantage and easily connect servers / clients into a ZyWALL-ready environment. Following are the description about two features. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 20 DHCP server (IP: 10.10.1.1) to handle all DHCP request from LAN hosts. So ZyWALL will be configured as a relay role to pass DHCP request from LAN to the DHCP server. For DMZ, and WLAN, network admin would like to configure them as independent subnet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 21 Step1. Insert a wireless card in ZyWALL’s PCMCIA slot before booting the ZyWALL. Since we will enable wireless network to allow wireless clients associate with. Step2. Configure DHCP setting for LAN. Choose ‘Relay’ from DHCP setting and enter the IP address of the DHCP server, ‘10.10.1.1’. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 22 ‘192.168.10.33’. Step5. Configure Port Role from either LAN or DMZ or WLAN >> Port Roles. Configure the roles as following. Then click ‘Apply’ to save the setting. (1). port 1-2 for LAN All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 23: Using Nat/Multi-Nat
IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 24 (e.g., the ZyWALL router). The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. • NAT Mapping Types NAT supports five types of IP/port mapping. They are: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 25 Many to One In Many-to-One mode, the ZyWALL maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).
Page 26 Step 1. Applying NAT in WAN Interface You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup. NETWORK -> WAN or ADVANCED -> NAT -> NAT Overview All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 27 Set this field to 'SUA Only' if you want all clients SUA Only share one IP to Internet. Step 2. Configuring NAT Address Mapping To configure NAT, go to ADVANCED -> NAT -> Address Mapping All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 28 Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.1.1.1). Rule 2 (One-to-One type) to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.1.1.2). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 29 Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.1.1.1). Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.1.1.2). Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 30 ZyWALL 35 Support Notes Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. When we have configured all four rules in the rule summary page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 31 LAN to forward the incoming connections. If you would like to only allow traffic going to the internal server, you should specify server's private IP address in the field of the destination IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 32 IP address. The following figure illustrates this. One rule configured for using Many One-to-One mapping type is shown below. The three rules configured for using One-to-One mapping type is shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 33: Optimize Network Performance & Availability
DMZ Setup (Go to NETWORK >> DMZ) NAT Setup (Go to ADVANCED >> NAT) Firewall Setup (Go to SECURITY >> FIREWALL) Setup DDNS (Go to ADVANCED >> DNS) Setup VPN (Go to SECURITY >> VPN) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 34: Using Dual Wan
ZyWALL 35 Support Notes Using Dual WAN This feature is for ZyWALL 35 & 70 only since ZyWALL 5 has only one WAN interface. There are two operation modes for dual WAN. The “Active/Passive” is for fail-over and fall-back. And the “Active/Active”...
Page 35 Step3. Setup connectivity check. Specify a public IP address for WAN1 and WAN2 respectively. This IP address will be a check point for ZyWALL, ZyWALL periodically ping the IP address to check the connectivity of WAN1 and WAN2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 36 ZyWALL 35 Support Notes Step4. Setup WAN1. Configure Internet Access parameters for WAN1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 37 ZyWALL 35 Support Notes Step5. Setup WAN2. Configure Internet Access parameters for WAN2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 38 2. LAN Setup (Go to NETWORK >> LAN) Leave the setup as default. 3. DMZ Setup (Go to NETWORK >> DMZ) Give ZyWALL’s DMZ a private IP address other than LAN segment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 39 ISDN by themselves. If it’s not the same case as your application, you can still turn on NAT function of WAN2. And the settings are just the same as what you configure on WAN1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 40 5. Firewall Setup (Go to SECURITY >> FIREWALL) Step1. Enable Firewall. Step2. Make sure traffic from “WAN to DMZ” is ‘Forward’. If you change Default Action to ‘Block’, then please proceed for Step3. Otherwise, you have finished firewall setting. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 41 Step3. Setup firewall rule to forward traffic from “WAN to DMZ” 6. Setup DDNS (Go to ADVANCED >> DNS) In this example, since WAN1 and WAN2’s IP address are dynamic and WAN2 will take over the All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 42 Note1. If your ZyWALL has dynamic WAN IP address like this example, or you want the VPN always available no matter VPN go through WAN1 or WAN2, and then you should choose pre-configured DDNS instead. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 43: Load Balancing (Active/Active Mode)
Spill Over: A threshold is preset for primary WAN, once the loading exceeds the threshold within a measured period of time, the secondary WAN will take over. Once the loading of primary WAN decreases, then the next session will go through the primary WAN. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 44 Step3. Setup connectivity check. Specify a public IP address for WAN1 and WAN2 respectively. This IP address will be a check point for ZyWALL, ZyWALL periodically ping the IP address to check the connectivity of WAN1 and WAN2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 45 ZyWALL 35 Support Notes Step4. Setup WAN1. Configure Internet Access parameters for WAN1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 46 ZyWALL 35 Support Notes Step5. Setup WAN2. Configure Internet Access parameters for WAN2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 47 ZyWALL 35 Support Notes 9. LAN Setup (Go to NETWORK >>LAN) Leave the setup as default. 10. DMZ Setup (Go to NETWORK >>DMZ) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 48 Give ZyWALL’s DMZ a private IP address other than LAN segment. 11. NAT Setup (Go to ADVANCED >>NAT) Step1. Setup the NAT (Network Address Translation) for WAN1 and WAN2. Step2. Setup Address Mapping and Port Forwarding for WAN1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 49 Step3. Configure Port Forwarding for FTP/MAIL services. 12. Firewall Setup (Go to SECURITY >> FIREWALL) Step1. Enable Firewall. Step2. Make sure traffic from “WAN to DMZ” is ‘forward’. If you change Default Action to block, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 50 Step3. Setup firewall rule to forward traffic from “WAN to DMZ” 13. Setup DDNS (Go to ADVANCED >> DNS) Because WAN1 uses two IP addresses for the FTP/HTTP/MAIL servers, users need to update these two All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 51 Note1. If you are sure to make VPN always go through WAN1, then specify WAN1’s IP address in My Address field. Note 2. If you want the VPN always available no matter VPN go through WAN1 or WAN2, then you should choose pre-configured DDNS instead. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 52: Using Policy Route
That means, user still can assign which WAN interface to process specific traffic which load balance mechanism is chosen. Following is the example to assign VOIP traffic from LAN will be handled by WAN2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 53: Using Bandwidth Management
ZyWALL achieves BWM by classifying packets, and control when to send out the classified packets. Bandwidth Management of ZyXEL appliances operates on the IP layer. The major step to configure BWM is defining filter rules by fields of IP header or TCP/UDP port number. Then specify the volume of...
Page 54 ZyWALL 35 Support Notes bandwidth you want to allocate to the filtered traffic. There are two types of BWM in ZyXEL implementations, Full and Lite versions. Full version: Supported in SMB level devices, such as ZyWALL100, ZyWALL 70...etc. Users can define how they want to classify traffic on each interface.
Page 55 Go to ADVANCED->BW MGMT->Class Setup, select the interface on which you would like to setup the Class tree. Click the radio button besides the Root Class, then press 'Add Sub-Class' All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 56 Filter Destination IP Enter the IP address of destination that meats this class. Address Destination Enter the destination subnet mask. Subnet Mask Destination Enter the destination port number of the traffic. Port All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 57 We have a 2M/512kbps ADSL link. At DMZ side, we have one FTP server and one media server, suppose we want to restrict upload FTP traffic at 100kbps, while restrict streaming traffic at 300kbps All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 58 Step2. Go to “Class Setup”. Click on Root Class and then click on “Add Sub-Class” to create and add a new class under root. We add a service and allocate 100kbps for FTP. Select the Service as FTP from drop-down list. Specify All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 59 Step3. Add another class, Medial. In this case the server IP address is 192.168.1.10 and it uses UDP for streaming. We allocate 300kbps for Media. Select the Service as Custom and assign Protocol ID to 17 for UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 60 Step 4. Now, two services are added. (FTP & Media) When you go to Monitor, one Default Class is created automatically and its bandwidth is the reset. This class will apply to other kind of traffic like HTTP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 61 Activate Bandwidth Management on the interface on which you want to control. In this example, it is WAN1. Assign the bandwidth of the ADSL upstream because Bandwidth Management only manages traffic that “flow out” the router’s interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 62 Step3. Add another class, Medial. In this case the server IP address is 192.168.1.10 and it uses UDP for streaming. We allocate 300kbps for Media. Select the Service as Custom and assign Protocol ID to 17 for UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 63 Class 2: Budget = 800kbps, Dest. IP = FTP Client B’s IP, Service = FTP, Priority = 3, enable Borrow Class 3: Budget = 800kbps, Dest IP = IPTV Client’s IP, Protocol = UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 64 We add a service and allocate 400kbps for FTP and destined to FTP Client A. Select the Service as FTP from drop-down list. Input Client A’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 65 Step3. Add another service and allocate 800kbps for FTP and destined to FTP Client B. Select the Service as FTP from drop-down list. Input Client B’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 66 Select the Service as Custom from drop-down list and set Protocol IP as 17 (UDP). Input IPTV user’s IP address as Destination IP Address. Step 5. Three classes are created for FTP Client A, B & IPTV user as below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 67: Secure Connections Across The Internet
If ZyWALL is used as Internet gateway and public IP address is assigned on ZyWALL’s WAN interface. ZyWALL uses this public WAN IP address for terminating the VPN tunnels from remote VPN gateways. In following example, local VPN gateway (ZyWALL) uses a static public IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 68: Configure Zywall With Dynamic Wan Ip Address
ISP. Since ZyWALL has no idea about its WAN IP address before it is assigned, it is difficult/impossible to use WAN IP Address for My Address in Gateway Policy. To overcome this problem, Dynamic DNS can be used to resolving the VPN gateway. When new IP All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 69 Therefore the peer VPN gateway can resolve ZyWALL’s IP address to make a VPN tunnel. In following example, local VPN gateway (ZyWALL) uses a dynamic WAN IP address (PPPoE with dynamic IP assignment). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 70: Configure Zywall Behind Nat Router
However, in some situation, it is inevitable to locate IPSec gateway in public IP address and it must be placed behind the NAT router. For example, the NAT router has a different interface (e.g. leased line, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 71 (IPSec pass-through) or not. With this option enabled, ZyWALL can detect if it is placed behind NAT when peer VPN entity also support NAT Traversal function. If yes, the IPSec traffic will be All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 72: Mapping Multiple Network Policy To Same Gateway Policy
Tunnel Tunnel PC 2 Traffic (PC2 <–> Dept2) Internet Dept. 1 VPN tunnel 1 PC 1 VPN tunnel 2 Dept. 2 PC 2 The configuration goal is to achieve following two : All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 73 5) Under Authentication Key, “Pre-Shared Key” or “Certificate” can be used as authentication method. For detailed usage of “Pre-Shared Key” and “Certificate”, please refer to XXX. In this example, “Pre-Shared Key” is used and the string “12345678” is used as example. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 74 7) Under “IKE Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 8) Click on “Apply” to save profile 9) The IKE rule will be configured as below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 75 If you need to change to other pre-defined Gateway Policy, you can select from the drop-down list. 13) Under “Local Network”, choose “Subnet” and input “192.168.71.0” and “255.255.255.0” for Dept1 in this example. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 76 15) Under “IPSec Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 16) Click on “Apply” to save profile 17) The new Network Policy, PC1-to-Dept1 is added to the Gateway Policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 77: Using Ddns For Vpn Redundancy
DNS-> DDNS ZyWALL will update its DDNS entry with another WAN interface when the specified WAN interface is not available. Therefore, the next coming VPN connection will go through second WAN interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 78: Using Certificate For Device Authentication
1) Using Self-signed Certificates (both entities must be ZyXEL IPSec gateway) 2) Online Enroll Certificates 3) Offline Enroll Certificates This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. Using Self-signed Certificates For customers who don't have CA service support in their environment but would like to use PKI feature, ZyWALL provides self-signed certificates to achieve this.
Page 79 Apply button in the following page at the first time you login to ZyWALL. If you reset ZyWALL to default configuration file, the original self-signed certificate is also erased, and a All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 80 Notepad) and then save to you local computer in PEM (Base-64) Encoded Format. Then import the certificate to the other ZyWALL VPN gateway. Go to the other ZyWALL and click “Import” button under CERTIFICATES->Trusted Remote Hosts All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 81 Type and Content in my certificate. You must configure the same setting on peer ZyWALL and vise versal. For example, on Local ZyWALL, the Local ID Type is E-mail and content is 00A0C5012345@auto.gen.cert. Therefore, configure Peer ID Type and content on peer ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 82: Online Enroll Certificates
ZyWALL 35 Support Notes Online Enroll Certificates This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. With online enrollment, ZyWALL firstly create certification request locally, then send certification request to trusted CA (Certificate Authority) servers, and finally get a certificate for further usage.
Page 83 5. Specify the Enrollment Protocol to Simple Certificate Enrollment Protocol (SCEP). 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 84 After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. It may take one minutes to complete the whole process. After CA server agrees to issue the corresponding certificate, you will find a newly enrolled certificate in My Certificates. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 85 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. 8. Input user name and password if necessary. 9. Then click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 86 After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. After CA server agrees to issue the corresponding certificate, ZyWALL will receive it automatically, and you will find a newly enrolled certificate in My Certificates. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 87 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" 9. Peer ID type= "ANY" 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 88 ZyWALL 35 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 89 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 90 ZyWALL 35 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 91: Offline Enroll Certificates
Step 3. Create certificate request on ZyWALL B. Step 4. Enroll the certificate request to Windows 2000. Step 5. Setup VPN rule on ZyWALL A Step 6. Setup VPN rule on ZyWALL B. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 92 ZyWALL A ZyWALL B LAN 2 LAN: 10.1.133.1 LAN: 192.168.2.1 10.1.133.0/24 192.168.2.0/24 WAN: 192.168.1.35 WAN: 192.168.1.36 Step 1. Create Certificate Reques on ZyWALL A 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 93 3. Wait for 1-2 minutes until "Request Generation Successful" displays. During this period, ZyWALL is working on creation of private, public key pair, and certificate request. 4. After creating certificate request, ZyWALL would return Successful Message. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 94 1. Copy the content of Certificate in PEM Encoded Format, by selecting all of the content, then right click your mouse, and select Copy. Keep your copy in clipboard for later paste. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 95 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 96 ZyWALL 35 Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 97 ZyWALL 35 Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 98 ZyWALL 35 Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 99 ZyWALL 35 Support Notes 6. Right click your mouse, then paste the certificate request you get in step 2.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 100 ZyWALL 35 Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 101 ZyWALL 35 Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 102 ZyWALL 35 Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 103 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 104 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 105 ZyWALL 35 Support Notes After import CA's certificate, you will get this display. Step 3. Create Certificate Reques on ZyWALL_B 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 106 Unit, Organization, Country are optional fields, you are free to either enter them or not. Finally, specify the key length and select Create a certification request and save it locally for later manual enrollment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 107 4. After creating certificate request, ZyWALL would return Successful Message. 5. In My Certificates tab, you can get a new entry in grey color. This is the Certificate Request you just created. Click Details to export the request. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 108 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 109 ZyWALL 35 Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 110 ZyWALL 35 Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 111 ZyWALL 35 Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 112 ZyWALL 35 Support Notes 6. Right click your mouse, then paste the certificate request you get in step 4.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 113 ZyWALL 35 Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 114 ZyWALL 35 Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 115 ZyWALL 35 Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 116 ZyWALL 35 Support Notes 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 117 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 118 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 119 6. Edit Remote: Address Type="Subnet Address", Starting IP Address="192.168.2.0", End IP Address/Subnet Mask="255.255.255.0" 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 120 ZyWALL 35 Support Notes 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 121 ZyWALL 35 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 122 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 123 ZyWALL 35 Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 124: Using Pre-Shared Key For Device Authentication
5) When IP is selected as ID Type, the Content must be in the format of X.X.X.X (e.g. 210.242.82.70) 6) When DNS/E-mail are selected as ID Type, the same string must be configured on both entities. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 125: Using Vpn Routing Between Branches
VPN tunnels between branch offices are needed. In this support note, we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 126 B are continuous, we merge them into one single rule by including these two segments in Remote section. If by any chance, the two segments are not continuous, we strongly recommend you to setup different rules for these segments. 1. Go to SECURITY->VPN->Press Add button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 127 11. Select Encryption Algorithm to DES and Authentication Algorithm to SHA-1. These parameters are for IKE phase 2 negotiation. You can set more detailed configuration by pressing Advanced button. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 128 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 129 To avoid such situation, we need two separate rules to cover the LAN segment of branch office A and headquarter. This rule is for branch office B to access headquarter's LAN and Branch A's LAN. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 130 ZyWALL 35 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 131 VPN rule in headquarter. 3. Setup VPN in Headquar er t 1. The correspondent rule for Branch_A in headquarter All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 132 ZyWALL 35 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 133 ZyWALL 35 Support Notes 2. The correspondent rule for Branch_B All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 134 ZyWALL 35 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 135: Nat Over Ipsec On Zynos
IPSec VPN basing on this network topology is not possible since it will cause a routing problem. You are required to manually All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 136 WAN interfaces according to the application scenario and network topology you planned. Configure both of the ZyWALL’s LAN and WAN interface with the proper IP address and network mask. ZyWALL 1 (Local) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 137 “My Address” on ZyWALL 1 with IP address 172.16.4.254 and the “Primary Remote Gateway” as 172.16.5.254. Assign “My Address” on ZyWALL 2 with IP address 172.16.5.254 and the “Primary Remote Gateway” as 172.16.4.254. Gateway Policy on ZyWALL 1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 138 ZyWALL 35 Support Notes Gateway Policy on ZyWALL 1 Click “Apply” in order to complete the settings. Repeat the steps for ZyWALL 2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 139 Gateway Policy on ZyWALL 2 STEP 3: Create the Network Policy (Phase 2) on the ZyWALL 1 and ZyWALL 2 After completing the settings for the “Gateway Policy”, click “Add Network Policy” to add a network All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 140 In the “Virtual Starting IP Address” field, we specify the new IP address after NAT. In the figure above, the Virtual IP address is specified starting from 172.16.2.1 to 172.16.2.254 on ZyWALL 1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 141 ZyWALL 35 Support Notes On ZyWALL 1, the remote network will be changed to 172.16.3.0. Click “Apply” in order to complete the setting. Repeat the steps for ZyWALL 2 in order to configure Network Policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 142 ZyWALL 35 Support Notes On ZyWALL 2, the Virtual IP Addresses starts from 172.16.3.1 to 172.16.3.254. STEP 4: Establish the IPSec VPN Tunnel Connection All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 143 STEP 5: Validate the functionality of NAT over IPSec by PING command Once the VPN tunnel is established, we can ping the following hosts to ensure the NAT function is work correctly. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 144: Never Lost Your Vpn Connection (Ipsec High Availability)
Ping the IPSec Remote Gateway Ping the remote host with virtual IP address that’s located on the remote network. Never lost your VPN connection (IPSec High Availability) Setup ZyWALL VPN with high availability All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 145: How To Configure The Vpn Ha
This is avoided with the dual WAN connection feature on ZyXEL security gateways. When the primary WAN connection is down, ZyXEL’s dual WAN connection feature backs up the primary WAN connection and automatically transfers VPN connections to the secondary WAN connection.
Page 146 WAN connection. In this example, the check interval is 28800 seconds. Set the other fields in the configuration screen depending on your network environment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 147: Access Control And Security Vpn Connection (Security Policy Enforcement Ipsec)
VPN gateway to connect from the central office to the ZyWALL 2 Plus in the branch office. If you are using ZyWALL 70 or ZyWALL 35 as the remote VPN gateway, you also get the redundant WAN/VPN feature. In this case, enter 0.0.0.0 in the My IP Address field to set the system to automatically detect the IP address of the active WAN interface.
Page 148: How To Configure Access Control Rule Over Vpn
192.168.2.33 to access local LAN subnet 192.168.1.0/24. The default VPN to LAN traffic is permit and we have to change the VPN to LAN access control rule in rule summary sub menu. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 149 ZyWALL 35 Support Notes Click the Insert button to insert a new rule. Edit the source and destination address as 192.168.2.33 and 192.168.1.0/255.255.255.0 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 150 The service type is Any to block all kind of traffic from 192.168.2.33 to access LAN subnet and Action for Matched Packets is Drop and then click apply to save and activate the configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 151 We can see a new rule had been configured and showed in the rule summary page. This will achieve our goal to block all traffic from VPN remote host 192.168.2.33 to access the LAN subnet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 152: How To Configure Security Policy (Av/Idp/As) Over Vpn
ZyWALL scan the traffic from VPN to any destination. VPN to VPN traffic means there are more than one tunnel connected to one ZyWALL and the traffic pass thought one VPN tunnel to another VPN tunnel will apply the VPN to VPN traffic type. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 153 The configurable scan direction configuration also applies in AntiVirus and ZyWALL can inspect the packet either from VPN or to VPN as well. The AntiSpam also has the matrix to configure the inspection direction. Thus, we can All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 154: How To Configure Web Filtering Rule Over Vpn - Content Filter154
The content filtering over VPN can only be enabled after the content filter global switch enabled otherwise the enable content filter for VPN traffic option will be gray out. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 155: Zywall Vs 3Rd Party Vpn Gateway
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and SonicWALL are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and SonicWALL router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 156 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button 3. Give a name for your policy, for example “ToSonicWALL” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 157 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 158 ZyWALL 35 Support Notes 8. You will see an IKE rule on your VPN page, press L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 159 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.168.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 160 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 161 Go to VPN page, check Enable VPN check box, and then press Add button, it will bring up a page which you could do your VPN settings. (Note: You could use VPN Policy Wizard to set up your VPN rules as well.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 162 4. Network IP Address and Subnet Mask are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Network text box and then type 255.255.255.0 on Subnet Mask text box, and then press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 163 Encryption to DES and Authentication to MD5. On IPsec(Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then, press OK button on this page. 6. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 164: Netscreen With Zywall Vpn Tunneling
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and NetScreen are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and NetScreen router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 165 15. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. 2. Go to SECURITY->VPN->Press Add button 5. Give a name for your policy, for example “ToNetScreen” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 166 8. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 9. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 167 ZyWALL 35 Support Notes 10. You will see an IKE rule on your VPN page, click L/R button to edit your IPSec rule. 11. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 168 14. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 169 15. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 16. When you finished doing your settings, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 170 Click Network -> Inetrfaces, the trust IP/Netmask used for LAN, the untrust IP/Netmask used for WAN. Note: About the settings, you could reference to NetScreen user guide to get the detail info. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 171 ZyWALL's WAN IP address. In this example, select Static IP Address option and set 172.22.3.89 on the text box. Enter the key string 12345678 on Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 172 Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. 7. When you finished doing the settings, you will see an IKE rule on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 173 10. On Security Level settings, choose User Defined option, and choose nopfs-esp-des-sha rule on Phase 2 Proposal. The nopfs-esp-des-sha means no PFS, ESP Protocol, Encryption Algorithm to DES and Authentication Algorithm to SHA1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 174 13. On your main page, click Policies to set up your policy rules. To choose From to Trust, and To to Untrust (it means from LAN to WAN), and then press New button to edit your policy rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 175 16. Select Action to Tunnel, and select ToZyWALLIPSecVPN rule. Check Modify matching bidirectional VPN policy check box, it means that you can create/modify the VPN policy for the opposite direction. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 176 ZyWALL 35 Support Notes 17. When you finished doing the settings, you will see the policy rules on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 177 ZyWALL 35 Support Notes 18. Move your policy rules to top, thus your device will check the rule at first. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 178: Check Point With Zywall Vpn Tunneling
ZyWALL and SonicWALL are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and a PC which uses Check Point software. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 179 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button 3. Give a name for your policy, for example “ToCheckPoint” All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 180 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 181 8. After you press the Apply button, you will see an IKE rule on this page, press L/R button to edit your 9. Check Active check box and give a name to this policy. 10. On Gateway Policy Information, you should choose ToCheckPoint IKE policy for your IPSec rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 182 Address/Subnet field. 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 183 ZyWALL 35 Support Notes 14. After you press the Apply button, you will see the following page. 2. Setup CheckPoint VPN I. Setup Network Objects All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 184 Host) 5. If your check point object is a Check Point Host, select your object and click the right button on your mouse, then choose Convert To Gateway to change its settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 185 6. On General Properties, the IP Addrrss field is the WAN IP of your PC. In this example, you should type 172.22.2.58 IP address on the text box. On Check Point Products settings, check VPN check box here. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 186 ZyWALL 35 Support Notes 7. On Topology settings, you should see two interfaces of IP settings here if your PC has two network cards. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 187 9. Selecting 192.168.2.0 interface, and press Edit button to check its settings. Clicking Topology screen, choose Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 188 ZyWALL 35 Support Notes II. Setup Interoperable Device 10. On the main menu, click Manage -> Network Objects. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 189 ZyWALL 35 Support Notes 11. You will see the network objects window, press new button and select Interoperable Device. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 190 12. On General Properties settings, give a name and an IP address for the Interoperable Device. In this example, the IP address is ZyWALL’s WAN IP address. 13. On Topology settings, pressing Add button to add a new interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 191 ZyWALL’s WAN port settings. 15. Clicking Topology screen, and choose External (leads out to the internet) for the interface. Then, press OK button to save the settings. 16. Pressing Add button to add another interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 192 18. Clicking Topology screen, choose Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 193 ZyWALL 35 Support Notes 19. Pressing OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 194 ZyWALL 35 Support Notes III. Setup Networks All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 195 20. Selecting Networks object and click the right button of your mouse, and choose New Network. 21. Give a name for your network policy, and set the network IP address to 192.168.1.0/24. Then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 196 22. To add another network policy, and set the network IP address 192.168.2.0/24. Then, press OK button to save the settings. IV. Setup VPN Communities 23. Click VPN communities tab to do the settings. 24. On VPN communities, click New -> Site To Site -> Star All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 197 ZyWALL 35 Support Notes 25. On General settings, giving a name for your VPN communities. For example, CheckPoint_ZyWALL. 26. On Center Gateways settings, press Add button to add a center gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 198 27. If you have already done the previous settings, you should see a central gateway here. Select the gateway, and then press OK button. 28. On Satellite Gateways settings, press Add button to add a remote gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 199 ZyWALL 35 Support Notes 29. If you have already done the previous settings, you should see a remote gateway here. Select the gateway, and then press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 200 30. On VPN Properties settings, select Encryption Algorithm to DES, Authentication Algorithm to MD5 on phase 1, and also select Encryption Algorithm to DES, Authentication Algorithm to SHA1 on phase 2. 31. On Tunnel Management, leave the settings to default settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 201 32. On VPN routing settings, choose To center, or through the center to other satellites, to internet and other VPN targets option. 33. On Shared Secret settings, choose ToZyWALL option, and press Edit button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 202 ZyWALL 35 Support Notes 34. Enter the secret key in the text box, and then press OK button. 35. On Advanced VPN Properties settings, choose Group 1 for Diffie-Hellman settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 203 ZyWALL 35 Support Notes 36. Press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 204 ZyWALL 35 Support Notes 37. After you press OK button, you should see a new object here. IV. Setup Security 38. Click Security tab on the right side to do the security settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 205 39. Press Add button to add a rule. 40. On the default rule, select the source field, and click right button of your mouse, and then choose Add… option to add your network objects. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 206 42. To use the same way to add another network object (Net_192.168.2.0) on the source field. 43. On the destination field, please use the same way to add your network objects: Net_192.168.1.0 and Net_192.168.2.0. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 207 45. On VPN Match Conditions, choose Only connections encrypted in specific VPN Communities option, and press Add button to add community to your rule. 46. Choosing CheckPoint_ZyWALL object for your rule, and press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 208 ZyWALL 35 Support Notes 47. Clicking OK button to save your settings. 48. On action field, click right button of your mouse, and choose accept option for your rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 209 ZyWALL 35 Support Notes 49. On the track field, click right button of your mouse, and choose Log option for your rule. 50. If you finished the settings, you should see a rule as below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 210 51. Pressing add button to add another rule which could drop packets if it doesn’t match your VPN rule. V. Install Policy 52. On your main menu, click Policy -> Install.. option to Install your policy. 53. Selecting your policy rule, and press OK button to install the policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 211 ZyWALL 35 Support Notes 54. Waiting few seconds for the installation. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 212 ZyWALL 35 Support Notes 55. If you install the policy successfully, your VPN tunnel should work normally with your ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 213: Fortinet With Zywall Vpn Tunneling
Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for ZyWALL and FortiNet are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and FortiNet router. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 214 3. Give a name for your policy, for example “ToFortiNet” 4. My IP Addr is the WAN IP of ZyWALL. In this example, you should type 172.22.1.147 IP address on My ZyWALL text box. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 215 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 216 8. After you press the Apply button, you will see an IKE rule on this page, click L/R button to edit your IPSec rule. 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 217 12. On Remote Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.1.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 218 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. After you press the Apply button, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 219 ZyWALL's WAN IP address. In this example, select Static IP Address option and set 172.22.1.147 on the text box. Choosing Main mode, and also enter the key string 12345678 on Preshared Key text box. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 220 4. On P1 proposal settings, select Encryption to DES, Authentication to MD5, and DH Group to Group1. Then, press “-” button to delete the second P1 proposal rules. 5. To uncheck the Nat-traversal check box. And then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 221 IPSec rules. 8. Give a name for your VPN, for example “ToZyWALL IPSec”, and choose ToZyWALL policy rule for your Remote Gateway. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 222 9. On P2 Proposal settings, select Encryption to DES, and Authentication to SHA1, and also press “-” button to delete the second P2 proposal rules. 10. To uncheck the Enable perfect forward secrecy(PFS) check box. And then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 223 11. After you press the OK button, you will see your IPSec rule(Phase2) on this page. 12. On the main page, click Firewall -> Address, and then press Create New button to edit your address rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 224 192.168.2.0/24 IP Range/Subnet for the ZyWALL network. Then, press OK button to save your settings. 16. After you finished the settings, you should see two address rules on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 225 ZyWALL network rule for your destination address rules. 20. On Action settings, choose ENCRYPT option, and choose ToZyWALL IPSec rule for your VPN Tunnel. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 226 22. Click VPN -> IPSec -> Monitor, this page displays a table that lists all the VPN rules configured on the FortiNet device. You could check the link states here to know your VPN tunnel is up or down. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 227: Remote Access Vpn Scenario
Gateway Address, ZyWALL accepts all attempts from any IP address and authenticate the remote VPN device with pre-shared key or certificate. If the remote entity passes authentication, ZyWALL and remote entity will then generate dynamic shared keys for the IKE SAs and IPSec/QM SAs. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 228: Using Xauth For User Authentication
IKE authentication. Since remote users may use the same pre-shared key for device authentication, it may have some problem once the key is compromised. Otherwise, an extra authentication would be more. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 229 Policy”. Select “Server Mode” on the VPN concentrator. There are two kinds of user_identification (username/password) database can be used for authentication: Local_User & RADIUS. (Note that Local_User first then RADIUS if both exist). Local User RADIUS All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 230: Zyxel Vpn Client To Zywall Tunneling
As the figure shown below, the tunnel between PC 2 and ZyWALL ensures the packets flow between them is secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and ZyWALL are explained in the following sections. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 231 202.132.171.33 WAN: 202.132.170.1 1. Setup ZyWALL VPN Client 1. Open ZyWALL VPN Client Security Policy Editor 2. Add a new connection named 'ZyWALL' as shown below. 3. Select Connection Security to Secure All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 232 4. In ID Type option, please choose IP Address option, and enter the IP address of the remote PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter ZyWALL's WAN IP address in the following field. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 233 7. Click My Identity; click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in ZyWALL in the pop out windows. In this example, we enter 12345678. See below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 234 ZyWALL 35 Support Notes Security Policy Settings: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 235 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 236 ZyWALL 35 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 237 11. Select Encryption Algorithm to DES and Authentication Algorithm to SHA1, as we configured in ZyWALL VPN Client. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 238 ZyWALL 35 Support Notes See the VPN rule screen shot You can further adjust IKE Phase 1/Phase 2 parameters by pressing Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 239: Flexible Wireless Connection And Security
LAN or DMZ. Thus, the WLAN interface can be applied separate security policy to fulfill the security requirement. We used the ZyWALL 5 UTM as an example to show how to control the wireless user traffic. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 240: Deploy The Zywall Wlan Security Policy
Switch to NETWORK > WLAN and setup the WLAN interface IP address and configure it as a DHCP server. Thus the PC associated with the AP will be dispatched an IP address from ZyWALL. Click Apply to save the setting. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 241 DHCP. Select the WLAN as selected interface and correctly configure the DNS server IP address. The WLAN host can’t resolve the domain name to IP address if the DNS server miss-configure in this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 242 LAN, DMZ, WLAN and VPN interface. ZyWALL also can granularity setup the access control rule according to different WLAN host (IP address) or packet services type (protocol types and ports). Switch to Rule Summary page and All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 243 There is a traffic direction matrix available in IDP/AV and AS General configuration page. Used the check box to decide if the traffic from WLAN or to WLAN needs to be inspected by scan engine. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 244: Threat Management
ZyWALL 5/35/70 UTM is engineered to deliver comprehensive protection against internet threats in an effortless manner. This support note demonstrates the best practice for SMB to minimize the impact of Internet threats using ZyWALL 5 UTM as example. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 245: To Protect Computer Networks Against Virus Intrusions And Attacks From Internet
Since most virus and worms are coming from the internet, thus all incoming traffic from internet (WAN) to intranet (LAN and DMZ) should be inspected. Configure your ZyWALL 5 UTM based on this example will All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 246 ZyWALL 5 UTM to effectively stop/drop most Worms, Trojans, DoS and DDoS attacks. TIPS: Although IDP can effectively stop Worms, Trojans, and prevent DoS and DDoS attack, but IDP is not All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 247 3. Click on the Apply button to save the above settings. 1.2.2 Setup the ANTI-VIRUS service to inspect if the receiving file infected: 1. In ANTI-VIRUS->General, check the Enable Anti-Virus to enable the AV function and enable Zip All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 248 TIPS: Remember to make sure the AV signatures are most updated thereby the ZyWALL 5 UTM AV engine can stay in the best status. (The “update” can be done manually or automatically). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 249 DoS & DDoS attacks from paralyze the network. Following procedure demonstrate how to configure your ZyWALL 5 UTM to protect your servers in DMZ zone. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 250 TIPS: IDP/AV scan/detection engine will bypass IPSec VPN traffic, because IPSec VPN traffic are protected in a secure tunnel. IDP/AV services would not be able to scan/detect any files or packets that are protected by either password or secure tunnels. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 251: To Control Im/P2P Applications Usage To Increase Employee Productivity
ZyWALL 5 UTM can deliver its best performance. 1.1.2 IDP/AV License Activation Please refer to step 1.1 in the page 4 on how to activate IDP/AV services for your ZyWALL 35 UTM 1.2 IDP Common Setting 1. In IDP->General, check the Enable Intrusion Detection and Prevention check box to enable IDP...
Page 252 2. To setup policies for the IM applications, say MSN, we use “Signature search” “By Name” with “MSN” keyword to query all signatures about MSN and will get a searched result list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 253 Select Drop Packet in the Action field of all the MSN related signatures. 1.2.1.2 Block MSN (Chat only, no File transfer) Select Drop Packet in the Action field of the MSN file transfer related signatures and keep other signatures No Action. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 254 1. In IDP->Signature, click on Switch to query view to search the specified signature and set them up optionally. 2. To setup policies for the P2P applications, say eDonkey, use the “eDonkey” keyword to query all signatures about eDonkey and will get a searched result list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 255 IDP signature update To keep the ZyWALL 5 UTM IDP engine stay in the best status, make sure the IDP signature are most updated (The “update” can be done manually or automatically) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 256: To Filter Non-Work Related And Unproductive Web Surfing To Mitigate Spyware And Phishing Threats
Also, the non-business web surfing such as the sports, financial and gambling web sites should be prevented to increase company productivity. With ZyWALL 35 UTM Content Filter service, network administrator can effectively allow/prevent network users from viewing different categories of web sites.
Page 257 “Adult/Mature Content”, “Sex Education”, “Pornography”, “Nudity”, “Hacking/Proxy Avoidance”, “Violence/Hate/Racism”, “Gay/Lesbian”, “Gambling”, “Illegal/Questionable”, “Illegal Drugs”, and “Cult/Occult” categories(most spyware comes from such kind of websites) to be filtered while accessing a website which contains these specified categories of contents. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 258 1.3 Demonstrate Content Filtering by an example: Using a browser to browse the nudity website, for example, www.nudistweb.net, it will be blocked and redirected to www.zyxel.com with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 259 And you can input the URL in the Redirect URL field, for example, “www.zyxel.com” to redirect the original URL to this redirect- URL. 4. In Exempt Computers item, we can select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to the specified IP address ranges, for example, if the CEO’s computer which is assigned an IP address: 192.168.10.200 needed NOT to be applied by CF...
Page 260 Enter the distrusted web site in the Forbidden Web Site list. (The forbidden list is similar to the black list.) 2.2.3 Demonstrate “Customization” Content filtering by an example: Using a browser to browse “www.phishbank.com”, the attempt will be blocked (because “www. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 261 ZyWALL 35 Support Notes phishbank.com” is added in the forbidden list) and will be redirected to “www.zyxel.com” with “(Website Blocking)” message displayed at the moment. 2.3 Setup the ANTI-SPAM service to filter the phishing mail: In ANTI-SPAM -> General, check the Enable Anti-Spam check box to enable AS function and select all mail send to LAN and DMZ had to be rated.
Page 262 IT staff to adjudge whether the POP3/SMTP mails are phishing mails or not. TIPS:To activate the “External DB” option, the ANTI-SPAM service must be registered at first. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 263 3. In Message to display when a site is blocked, you can input the text, say “(Website Blocking)”, to remind the users that the website he is trying to access is blocked. And you can input the URL in the Redirect URL field, for example, “www.zyxel.com” to redirect the original URL to this redirect- URL.
Page 264 FILTER -> Categories page, with selecting the categories check boxes to specify the types of contents to be filtered while accessing a website which contains these specified categories of contents. As the figure listed below, “Sports/Recreation/Hobbies” and “Financial Services” are selected. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 265 Demonstrate Content Filtering by an example: Using a browser to browse the sports website, for example, www.nba.com, it will be blocked and redirected www.zyxel.com with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 266: To Eliminate Spam Mails To Block Unwanted Messages Everyday
In Registration page, if you already have an account exist in myZyXEL.com, then all you have to do is, first select “Existing myZyXEL.com account” and enter your username password, and select AS 3 months trial version to activate All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 267 4. Click on the Apply to save the settings. TIPS: For SMTP protocol, the AS engine support “Discard” or “Forward” it with the specified tag text, but for POP3 protocol, ”Forward” is supported only. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 268 IT staff to adjudge whether the POP3/SMTP mails are spam mails or not. TIPS: To activate the “External DB” option, the ANTI-SPAM service license must be activated. 2. Protect Self-hosted Mail Servers (SMTP) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 269 4. Click on the Apply to save the settings. TIPS: For SMTP protocol, the AS engine support “Discard” or “Forward” it with the specified tag text, but for POP3 protocol, ”Forward” is supported only. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 270 Customize the Anti-Spam policies as our own by using black list to let policies be applied and using white list to bypass the policies. The lists are added as in the ANTI-SPAM -> List, after finished adding the specified lists, click on the Apply button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 271: Threat Reports
“!!!SPAM!!!Hello” as listed below: Threat Reports In order to make the ZyWALL more user-friendly and cost-effective, ZyNOS v4.01 comes with the Threat report feature. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 272 The IDP report types will be categorized by different Top entry; they are Signature name, Source and Destination. These reports can help administrator to manage and control the most dangerous source and most damage victim in the real time. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 273 The Anti-Virus report types will be categorized by different Top entry; they are Virus name, Source and Destination. These reports can help administrator to manage and control the most dangerous source and most damage victim in the real time. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 274 Source. These reports can help administrator to manage and control the most dangerous source and they may report it to Spam analysis organization or block the source by firewall rule straight away. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 275 ZyWALL 35 Support Notes The Anti-Spam report also has a Score Distribution map and this can help administrator to setup a valuable Spam Threshold to make the spam tag more suitable to the local environment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 276: Centralized Management
ZyWALLs through Vantage CNM, user needs to prepare Vantage CNM server and 3rd party FTP/Syslog/Telnet servers. For the detailed installation & registration process (to myZyXEL.com), please refer to Vantage CNM Support Note. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 277 (imported) to Vantage CNM through XML files. For detailed operation, please refer to Vantage CNM Support Note. Please check CNM Reference Guide for XML description files.pdf for detailed description. Add device manually Step 1. Left click on the folder (e.g. AAA) and go to Device>>Registration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 278 2. device name 3. device's LAN MAC address The XML file can be used for mass deployment. User can assign a device owner or leave it to the owner of folder AAA. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 279 Vantage CNM Server Address in the filed. If Encryption Algorithm is enabled, you must select the same algorithm and secret key on both device and Vantage CNM. In the following case, the Encryption Algorithm is disabled. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 280 Vantage CNM. On Vantage CNM, the device icon will turn green and the device status will change to “On” and the WAN IP of the device will be shown on the content screen. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 281: A. Product Faq
PPP dialer such as 'Dial-Up Networking' user interface. PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 282: A05. Does The Zywall Support Pppoe
IP from ISP, instead, can be recognized or pinged by another real IP on the internet. The ZyWALL Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 283: A12. How Does E-Mail Work Through The Zywall
The coverage range typically is 50m~80m indoor, 150m~300m outdoor. The actual range may very depend on environment, as to obstacles and walls, RF interference, in the environment. A17. How do I used the reset button, more over what field of parameter will be reset by All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 284: A20. Can The Zywall Support Tftp Over Wan
Currently, there are various ways that ISPs control their users. That is, the WAN IP is provided only when the user is checked as an authorized user. The ISPs currently use three ways: 1. Check if the 'MAC address' is valid 2. Check if the 'Host Name' is valid, e.g., @home All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 285: A23. What Is Bootp/Dhcp
It is inconvenient for the users if this IP is dynamic. With DDNS supported by the ZyWALL, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the ZyWALL.
Page 286: A25. When Do I Need Ddns Service
ZyWALL 35 Support Notes name for your web server (i.e., www.zyxel.com.tw) is still usable. A25. When do I need DDNS service? When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service.
Page 287: A31. What Is Stp (Spanning Tree Protocol) /Rstp (Rapid Stp)
Armed with the UTM appliance, the IT staff can manage the emerging threats from Internet, having lower TCO and reduced management overhead. A34. What are the differences between ZyWALL UTM models and previous ZyWALL All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 288: A35. What Are The Key New Features Of Zywall Utm
B01. Which ZyWALL models are eligible to be upgraded to run ZyNOS v4.01? 1. ZyWALL 5, ZyWALL 35 and ZyWALL 70 can be upgraded to run ZyNOS v4.01. 2. However, for ZyWALL 70, upgrade to v4.00 and above is conditional. Details are available in the next few questions.
Page 289: B02. Why It's Conditional To Upgrade To Zynos V4.01 For Zywall 70
The ZyNOS v3.65 does NOT support the following features: Anti-Virus + IDP security service and Anti-Spam security service. ZyXEL will keep maintaining both ZyNOS v3.65, v4.00 and above for all ZyWALL 70 in the field. B04. What happens if I wrongfully upgrade firmware of a ZyWALL 70 with only 32MB of RAM to ZyNOS v4.01 directly?
Page 290: B05. What Happened If I Upgrade A Zywall 70 Running Zynos V3.62/3.63/3.64 To V4.01 Directly
For those 32MB ZyWALL 70 owners who wanted to upgrade to ZyNOS v4.00 and above, we have a ZyWALL 70 (small memory) Trade-in Promotion program for you. In this program, ZyXEL offers a package at a very attractive price for those customers.The package includes:...
Page 291: B11. What's The Downgrade Procedure Of Zywall 70 Running Zynos V4.01
Always backup your current ROM file prior to any firmware operation. B12. Can I downgrade a ZyWALL 5 or ZyWALL 35 running ZyNOS v4.01 back to ZyNOS v3.64 (or below)? Yes, downgrade is supported.
Page 292: C02. Except Zywall Turbo Card Is A Must When Use Av+Idp Service What Exactly I Can Get Benefit From It
No, you can NOT insert both ZyWALL Turbo Card and wireless card into ZyWALL device since there is only one expansion slot available on the ZyWALL 5, ZyWALL 35 or ZyWALL 70. C02. Except ZyWALL Turbo Card is a must when use AV+IDP service, what exactly I can get benefit from it? With ZyWALL Turbo Card inserted, customers can enjoy ZyXEL’s unique SecuASIC technology which...
Page 293: D03. What Are The Basic Types Of Firewalls
4. The ZyWALL's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 294: D05. Why Do You Need A Firewall When Your Router Has Packet Filtering And Nat Built-In
The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 295: D09. What Is Syn Flood Attack
There are two default ACLs pre-configured in the ZyWALL, one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 296: D14. In Zywall, Is Dmz Behind Nat Or Not
ZyWALL. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the LAN traffic redirect and static route. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 297 (A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection can be always under control of firewall. And thus there won't be Triangle Route problem. (B) Deploying your second gateway on WAN side. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 298: D17. How Can I Protect Against Ip Spoofing Attacks
Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask: For the output data filters: • Deny bounce back packet • Allow packets that originate from us Filter rule setup: • Filter Type =TCP/IP Filter Rule • Active =Yes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 299: E. Security Service Licenses Faq
E04. Is each type of iCard device specific? Yes. Different model of ZyXEL product may uses different type of iCard for registration. Users need to check the supported model names before purchasing.
Page 300: E06. What Kind Of Icard Should I Buy
Yes, you can try the Content Filtering service for free. The free trial period is 30 days and is available to ZyWALL 2, ZyWALL 5, ZyWALL 35, ZyWALL 70, ZyWALL 5 UTM, ZyWALL 35 UTM and ZyWALL 70 UTM owners.
Page 301: E10. Does Zyxel Provide Customers Free Trial For Anti-Spam Service How Long Is It
ZyWALL 35 Support Notes extension of the AV+IDP security service. E10. Does ZyXEL provide customers free trial for Anti-Spam service? How long is it? Yes. The free trial period of AS security service is 3 months. Any ZyWALL device with ZyNOS v4.00 and above could activate the AS service and a ZyWALL Turbo Card is NOT required for the activation of AS security service.
Page 302: Launch Of Zynos V4.00? Which Zywall Models Can Be Registered Via Myzyxel.com
F05. If I were new to myZyXEL.com, what are the required fields when I register my ZyWALL device on myZyXEL.com? The required fields include: user name, password, valid email address and country. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 303: F07. What Is Mysecurityzone
When a ZyWALL device is scheduled to download the AV+IDP signature pack, the download request is pointed to the Update Server. Update Server is hosted by ZyXEL and the capacity of Update Server is precisely calculated. After taking the following factors into consideration: bandwidth consumption, availability, geographically distribution of subscribers, we have decided to build the Update Server in IDCs in a globally distributed architecture plus 24x7 monitoring mechanism.
Page 304: F10. What's The Url For These Service Portals
G03. Can I subscribe to the Anti-Virus service alone or IDP service alone? No. Because the Anti-Virus and IDP services are bundled together, you can not subscribe to any one of them alone. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 305: G04. What Are The Hardware Requirements To Run Av+Idp Security Service
G04. What are the hardware requirements to run AV+IDP security service? 1. For ZyWALL 5 UTM, ZyWALL 35 UTM or ZyWALL 70 UTM owners, you don’t have to acquire additional hardware accessories to activate the AV+IDP security service because the ZyWALL Turbo Card is already inside the package.
Page 306: H01. Why Does Zywall Bundle Anti-Virus And Idp Feature Together
H03. What are the hardware requirements to run AV+IDP security service? 1. For ZyWALL 5 UTM, ZyWALL 35 UTM or ZyWALL 70 UTM owners, you don’t have to acquire additional hardware accessories to activate the AV+IDP security service because the ZyWALL Turbo Card is already inside the package.
Page 307: H06. How Do I Keep Signatures Of Av+Idp Service Updated
H07. How often does ZyXEL release signatures of AV+IDP security service? ZyXEL is managing to release the AV+IDP signature packs at least 5 times a week on a regular basis. Those signatures are fully tested and the quality is assured.
Page 308: I03. What Happens When An Email With Large Attachment In Size, E.g 5Mb, Is Downloaded Which Has Virus In It
ZyWALL 35 Support Notes I02. A customer already has her/his own exchange server including the Anti-Spam software from other vendors; is there any good reason for her/him to use ZyXEL’s Anti-Spam service in addition to the current solution? Yes, the reasons are: 1.
Page 309: I06. In Zywall's Anti-Spam Feature, What's Your Recommendation To Handle Identified Spam Emails
AS-enabled ZyWALL devices and our rating server are taking place dynamically and automatically in the background. However, you may want to maintain your own black list/white list on device to maximize the effectiveness of the Anti-Spam security service. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 310: J. Content Filter Faq
10 seconds (by default setting), ZyXEL appliance will block (by default setting) the HTTP response to the PC. If the query is back, ZyXEL appliance will drop or forward the request according to the Content Filtering policy set in the appliance. The result of categorization query will be cached in ZyXEL appliance.
Page 311: J07. What Services Can I Get With Trial Registration
- 53% of teens have encountered offensive Web sites that include pornography, hate, or violence. Of these, 91% unintentionally found the offensive sites while searching the Web. ZyXEL Content Filtering is helpful to improve productivity, minimize legal liability, and conserve costly Internet bandwidth within the organization. BlueCoat provides the most complete and accurate Internet filtering solution of any Internet management provider and enables companies to better manage, secure and protect their Internet investment.
Page 312: J11. Can I Have Different Policies In Effect For Different Times Of The Day Or Week
ZyWALL 35 Support Notes J11. Can I have different policies in effect for different times of the day or week? Yes, but only one blocking period of time is supported currently on ZyXEL appliance. J12. How many policies can I create? Two.
Page 313: J19. How Often Does Bluecoat Update The Database
J20. How do I locate sites to block? BlueCoat provides category ratings for Web sites. Based on the category rating from BlueCoat, users of ZyXEL appliances then define blocking/forwarding policy in WEB GUI. Do humans review the web sites? BlueCoat uses expert Web content raters to train the ratings technology.
Page 314: J22. How Can I Do If I Find A Web Site Is Mis-Categorized
Potential Non-Productive Categories · Abortion · Arts/Entertainment · Auctions · Brokerage/Trading · Business & Economy · Chat/Instant Messaging · Computers/Internet · Cult/Occult · Cultural Institutions · Education · Email · Financial Services All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 315: J24. How Does The Zyxel Content Filtering Handle Dynamically Generated Sites
· Web Communications · Web Hosting J24. How does the ZyXEL content filtering handle dynamically generated sites? We use BlueCoat's Dynamic Real-Time Rating service to accurately categorize dynamic content. Because BlueCoat provides Dynamic Real-Time Rating technology, most dynamic sites receive the correct rating.
Page 316: J25. Does Bluecoat Have More Than One Data Center? Is The Bluecoat Web Filter Geographically Load Balanced
Anyone with the administration username and password can view and generate reports. J27. How can I get Content Filtering report? You can get report for content filtering by clicking Register button from ZyXEL appliance's WEB GUI, and then you will be redirected to http://myZyXEL.com web server. By clicking Content Filtering Report, the WEB interface of BlueCoat reporting system will pop out.
Page 317: J30. My Device Can't Get Connected To Http://Myzyxel.com, So I Can't Get Into Registration Page. What Should I Check
For example: User can configure up to 120 VPN tunnel (rules) on ZW70. But only 100 concurrent VPN tunnels can be used at the same time. Model Name ZW35 ZW70 Version 3.62(XD.0) 3.64(WZ.0) 3.64(WM.0) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 318: K02. How To Count My Vpn Tunnels On Zywall
A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 319: K05. What Are Most Common Vpn Protocols
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 320: K08. What Is Ipsec
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 321: K12. What Are Local Id And Peer Id
DNS or E-mail, you have to adjust the settings to pass phase 1 ID checking. When should I use FQDN? If your VPN connection is ZyWALL to ZyWALL, and both of them have static IP address, and there is no All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 322: K13. Is My Zywall Ready For Ipsec Vpn
Replay protection requires authentication and integrity (these two go always together). Confidentiality (encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 323: K19. Does Zywall Support Dynamic Secure Gateway Ip
We have tested ZyWALL successfully with the following third party VPN gateways. Cisco 1720 Router, IOS 12.2(2)XH, IP/ADSL/FW/IDS PLUS IPSEC 3DES NetScreen 5, ScreenOS 2.6.0r6 SonicWALL SOHO 2 WatchGuard Firebox II ZyXEL ZyWALL 100 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 324: K21. What Vpn Software That Has Been Tested With Zywall Successfully
* The NAT router must support IPSec pass through. For example, for ZyWALL NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in NAT menu Server Setup. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 325: K25. How Do I Configure Zywall With Nat For Internal Servers
IP is used. For example: host----ZyWALL----NAT Router----Internet----Secure host Non-secure host K27. Where can I configure Phase 1 ID in ZyWALL? Phase 1 ID can be configured in VPN setup menu as following.. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 326: K28. How Can I Keep A Tunnel Alive
Yes, ZyWALL can support IPSec pass-through. ZyWALL series don't only support IPSec/VPN gateway, it can also be a NAT router supporting IPSec pass-through. If the VPN connection is initiated from the security gateway behind ZyWALL, no configuration is necessary for neither NAT nor Firewall. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 327: K31. Can Zywall Behave As A Nat Router Supporting Ipsec Pass Through And An Ipsec Gateway Simultaneously
The task of privately choosing a key before communicating, however, can be problematic. Applications in real case may use asymmetric cryptography for to protect distribution of keys (symmetric), and uses symmetric cryptography for All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 328: L02. What Is Pki
A Certification Authority Digital certificates Mathematically related key pairs, each comprising a private key and a public key These elements work within a formal structure defined by: Certificate Policies A Certification Practice Statement. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 329: L05. What Is A Certification Authority
For example, in the Government of Canada Public Key Infrastructure, digital certificates for data confidentiality are different from those used for digital signatures. Certificate Policies describe the rules governing the different uses of these certificates. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 330: L09. How Does A Pki Ensure Data Confidentiality
The digest acts as a "digital fingerprint" of the original message. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 331: L12. Does Zyxel Provide Ca Service
L12. Does ZyXEL provide CA service? No, ZyXEL doesn't maintain CA service for customers, customers need to find CA server (trusted 3rd party) in order to use PKI functionality on ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 332: L13. What If Customers Don't Have Access To Ca Service, But Would Like To Use Pki Function
L16. Will Self-signed certificate be erased if I reset to default configuration file? Yes, the original Self-signed certificate will be erased. But ZyXEL appliance will create a new self-signed certificate at it's first boot-up time after resetting the configuration. But the new self-signed certificate is different from the original one.
Page 333: M. Dual Wan Auto Fail-Over/Fail-Back And Load Balance Faq
N01. How many class can I create in ZyWALL Bandwidth Management class tree? And, what is the max depth of a class? Number of classes and max depth of a class supported on ZyWALL’s Bandwidth management is model All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 334: O. Wireless Faq
When wireless cards are inserted to the slot of ZyWALL, the only related security options are supported. For example, using a B-100 wireless card means that “Static WEP＂ is supported but “WPA-PSK＂, “WPA＂ & “802.1x+＂Dynamic WEP＂are not supported. B-100 B-101 B-120 G-100 G-110 No Security Static WEP WPA-PSK All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 335 Please Note: “X” means NOT support “O” means support If "WPA" is selected, external radius must be used for authentication. If "802.1x+ Dynamic WEP" is selected, external radius must be used for authentication. All contents copyright (c) 2006 ZyXEL Communications Corporation.

ZyXEL Communications ZyWall 35 Support Notes

Quick Links

Related Manuals for ZyXEL Communications ZyWall 35

Summary of Contents for ZyXEL Communications ZyWall 35

Table of Contents