ZyWALL 2 Plus User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5
ZyWALL 2 Plus User’s Guide Certifications...
ZyWALL 2 Plus User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device.
ZyWALL 2 Plus User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...
• Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. CORPORATE www.europe.zyxel.com 6 Innovation Road II HEADQUARTERS Science Park sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Hsinchu 300 (WORLDWIDE) Taiwan ftp.europe.zyxel.com...
Page 9
+34-902-195-420 www.zyxel.es ZyXEL Communications Arte, 21 5ª planta SPAIN sales@zyxel.es +34-913-005-345 28033 Madrid Spain support@zyxel.se +46-31-744-7700 www.zyxel.se ZyXEL Communications A/S SWEDEN Sjöporten 4, 41764 Göteborg sales@zyxel.se +46-31-744-7701 Sweden support@ua.zyxel.com +380-44-247-69-78 www.ua.zyxel.com ZyXEL Ukraine 13, Pimonenko Str. UKRAINE sales@ua.zyxel.com +380-44-494-49-32...
Page 10
ZyWALL 2 Plus User’s Guide Customer Support...
ZyWALL 2 Plus User’s Guide Table of Contents Copyright ........................3 Certifications ......................4 Safety Warnings ....................... 6 ZyXEL Limited Warranty..................7 Customer Support....................8 Table of Contents ....................11 List of Figures ......................27 List of Tables ......................37 Preface ........................
Page 13
ZyWALL 2 Plus User’s Guide 6.1.1 Bridge Loop ....................103 6.2 Spanning Tree Protocol (STP) .................104 6.2.1 Rapid STP ....................104 6.2.2 STP Terminology ..................104 6.2.3 How STP Works ..................105 6.2.4 STP Port States ..................105 6.3 Configuring Bridge ...................105 Chapter 7 WAN Screens......................109 7.1 WAN Overview ....................109 7.2 TCP/IP Priority (Metric) ..................109 7.3 WAN Route ......................109...
Page 14
ZyWALL 2 Plus User’s Guide 8.11 Threshold Screen ...................145 8.12 Service ......................146 8.12.1 Firewall Edit Custom Service ..............148 8.13 Solving the Asymmetrical Route Problem Example ........149 8.14 My Service Firewall Rule Example ..............150 Chapter 9 Content Filtering Screens ................... 155 9.1 Content Filtering Overview ................155 9.1.1 Restrict Web Features ................155 9.1.2 Create a Filter List ..................155...
Page 20
ZyWALL 2 Plus User’s Guide 22.10 F/W Upload Screen ..................361 22.11 Backup and Restore ..................363 22.11.1 Backup Configuration .................364 22.11.2 Restore Configuration ................364 22.11.3 Back to Factory Defaults ..............366 22.12 Restart Screen ....................366 Chapter 23 Introducing the SMT .................... 367 23.1 Introduction to the SMT ..................367 23.2 Accessing the SMT via the Console Port ............367 23.2.1 Initial Screen ..................367...
Page 21
ZyWALL 2 Plus User’s Guide 26.3 LAN Port Filter Setup ..................393 26.4 TCP/IP and DHCP Ethernet Setup Menu ............394 26.4.1 IP Alias Setup ..................397 Chapter 27 Internet Access ....................399 27.1 Introduction to Internet Access Setup ............399 27.2 Ethernet Encapsulation ..................399 27.3 Configuring the PPTP Client ................401 27.4 Configuring the PPPoE Client ................401 27.5 Basic Setup Complete ..................402...
Page 22
ZyWALL 2 Plus User’s Guide 30.4.1 Internet Access Only ................424 30.4.2 Example 2: Internet Access with a Default Server ........426 30.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .....426 30.4.4 Example 4: NAT Unfriendly Application Programs .......430 30.5 Trigger Port Forwarding .................432 30.5.1 Two Points To Remember About Trigger Ports ........432 Chapter 31 Introducing the ZyWALL Firewall ...............
Page 23
ZyWALL 2 Plus User’s Guide 34.3.1 System Information ................457 34.3.2 Console Port Speed ................458 34.4 Log and Trace ....................459 34.4.1 Viewing Error Log .................459 34.4.2 Syslog Logging ..................460 34.4.3 Call-Triggering Packet ................463 34.5 Diagnostic ......................463 34.5.1 WAN DHCP ..................464 Chapter 35 Firmware and Configuration File Maintenance ..........
Page 24
ZyWALL 2 Plus User’s Guide 36.1.1 Command Syntax .................483 36.1.2 Command Usage ..................484 36.2 Call Control Support ..................485 36.2.1 Budget Management ................485 36.2.2 Call History ...................486 36.3 Time and Date Setting ..................487 Chapter 37 Remote Management ................... 491 37.1 Remote Management ..................491 37.1.1 Remote Management Limitations ............493 Chapter 38 Call Scheduling ....................
Page 25
ZyWALL 2 Plus User’s Guide Appendix G Importing Certificates ..................557 Appendix H Command Interpreter................... 569 Appendix I Firewall Commands ..................... 571 Appendix J NetBIOS Filter Commands .................. 577 Appendix K Certificates Commands ..................579 Appendix L Brute-Force Password Guessing Protection............. 583 Appendix M Boot Commands ....................
Page 26
ZyWALL 2 Plus User’s Guide Table of Contents...
Page 29
ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example .................. 176 Figure 83 Web Page Review Process Screen ..............177 Figure 84 VPN: High-Level Example .................. 179 Figure 85 VPN: IKE SA and IPSec SA ................180 Figure 86 IKE SA: Main Negotiation Mode ................. 181 Figure 87 IKE SA: Aggressive Negotiation Mode ...............
Page 30
ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit ................257 Figure 126 Multiple Servers Behind NAT Example ............. 259 Figure 127 Port Translation Example .................. 259 Figure 128 Port Forwarding ....................260 Figure 129 Port Forwarding ....................262 Figure 130 Trigger Port Forwarding Process: Example ............
Page 32
ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host ................379 Figure 212 MAC Address Cloning in WAN Setup ............... 381 Figure 213 Menu 2: Dial Backup Setup ................383 Figure 214 Menu 2.1: Advanced WAN Setup ..............384 Figure 215 Menu 11.2: Remote Node Profile (Backup ISP) ..........
Page 33
ZyWALL 2 Plus User’s Guide Figure 253 NAT Example 3 ....................427 Figure 254 Example 3: Menu 11.1.2 ................... 428 Figure 255 Example 3: Menu 15.1.1.1 ................428 Figure 256 Example 3: Final Menu 15.1.1 ................429 Figure 257 Example 3: Menu 15.2 ..................430 Figure 258 NAT Example 4 ....................
Page 34
ZyWALL 2 Plus User’s Guide Figure 296 System Maintenance: Restore Configuration ........... 475 Figure 297 System Maintenance: Starting Xmodem Download Screen ......475 Figure 298 Restore Configuration Example ................ 475 Figure 299 Successful Restoration Confirmation Screen ........... 476 Figure 300 Telnet Into Menu 24.7.1: Upload System Firmware .......... 477 Figure 301 Telnet Into Menu 24.7.2: System Maintenance ..........
Page 35
ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties ......... 525 Figure 340 Macintosh OS 8/9: Apple Menu ................ 526 Figure 341 Macintosh OS 8/9: TCP/IP ................526 Figure 342 Macintosh OS X: Apple Menu ................527 Figure 343 Macintosh OS X: Network .................
Page 36
ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication ................. 567 Figure 383 ZyWALL Secure Login Screen ................567 Figure 384 Option to Enter Debug Mode ................585 Figure 385 Boot Module Commands .................. 586 Figure 386 Displaying Log Categories Example ..............604 Figure 387 Displaying Log Parameters Example ..............
ZyWALL 2 Plus User’s Guide List of Tables Table 1 Front Panel Lights ....................52 Table 2 Web Configurator HOME Screen in Router Mode ..........56 Table 3 Web Configurator HOME Screen in Bridge Mode ..........59 Table 4 Bridge and Router Mode Features Comparison ............ 61 Table 5 Screens Summary ....................
Page 39
ZyWALL 2 Plus User’s Guide Table 82 NAT Address Mapping ..................256 Table 83 NAT Address Mapping Edit ................. 257 Table 84 Port Forwarding ....................261 Table 85 Port Triggering ..................... 264 Table 86 IP Static Route ..................... 266 Table 87 IP Static Route Edit ....................267 Table 88 Application and Subnet-based Bandwidth Management Example ......
Page 40
ZyWALL 2 Plus User’s Guide Table 125 General Setup ....................352 Table 126 Password Setup ....................353 Table 127 Time and Date ....................354 Table 128 Default Time Servers ..................356 Table 129 MAC-address-to-port Mapping Table ..............358 Table 130 Device Mode (Router Mode) ................359 Table 131 Device Mode (Bridge Mode) ................
Page 41
ZyWALL 2 Plus User’s Guide Table 168 Menu 15.3: Trigger Port Setup ................433 Table 169 Abbreviations Used in the Filter Rules Summary Menu ........442 Table 170 Rule Abbreviations Used ................... 443 Table 171 Menu 21.1.1.1: TCP/IP Filter Rule ..............444 Table 172 Generic Filter Rule Menu Fields ................
Page 42
ZyWALL 2 Plus User’s Guide Table 211 Class C Subnet Planning ................... 538 Table 212 Class B Subnet Planning ................... 539 Table 213 Commonly Used Services ................. 541 Table 214 Firewall Commands ................... 571 Table 215 NetBIOS Filter Default Settings ................. 578 Table 216 Certificates Commands ..................
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
ZyWALL 2 Plus User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
ZyWALL 2 Plus User’s Guide H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates.
ZyWALL 2 Plus User’s Guide Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. Reset Button Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33.
Page 47
ZyWALL 2 Plus User’s Guide X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a user name and password. Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
ZyWALL 2 Plus User’s Guide RADIUS (RFC2138, 2139) RADIUS (Remote Authentication Dial In User Service) server enables user authentication, authorization and accounting. IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.
ZyWALL 2 Plus User’s Guide IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN, interfaces via its single physical Ethernet LAN interface with the ZyWALL itself as the gateway for each network. Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL.
ZyWALL 2 Plus User’s Guide Full Network Management The embedded web configurator is an all-platform, web-based utility that allows you to easily manage and configure the ZyWALL. Most functions of the ZyWALL are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu- driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 2 Plus User’s Guide Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. In the following diagram, A is a VPN Client for secure remote management, B is a VPN client for remote access, and C is a remote IPSec router.
ZyWALL 2 Plus User’s Guide 1.3.3 Front Panel Lights Figure 3 Front Panel The following table describes the lights. Table 1 Front Panel Lights COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. Flashing The ZyWALL is performing system tests. The power to the ZyWALL is too low.
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
ZyWALL 2 Plus User’s Guide Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
ZyWALL 2 Plus User’s Guide 2.3.1 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. 1 Press the RESET button for ten seconds, and then release it. The ZyWALL restarts with the defaults restored.
ZyWALL 2 Plus User’s Guide 2.4.1 Router Mode The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to router mode by default. Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features.
Page 57
ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field is not configurable. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Firewall This displays whether or not the ZyWALL’s firewall is activated.
ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP, click Renew to release the WAN port’s dynamically assigned IP address and get the IP address afresh.
ZyWALL 2 Plus User’s Guide Figure 8 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 3 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Wizards for VPN Quick Setup Click VPN to configure a Virtual Private Network (VPN) policy for secure communications between sites.
Page 60
ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Time This field displays your ZyWALL’s present date and time along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone.
ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port. VPN Status Click VPN Status to display the active VPN (secure) connections.
ZyWALL 2 Plus User’s Guide Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 63
ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests. Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted Use this screen to view and manage the certificates belonging to Remote Hosts...
ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION UPnP UPnP Use this screen to enable UPnP on the ZyWALL. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Use this screen to allow certain applications to pass through the ZyWALL.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 6 Home: Show Statistics LABEL DESCRIPTION Port These are the ZyWALL’s interfaces. Status For the LAN, this displays the port speed and duplex setting. For the WAN and dial backup ports, this displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
ZyWALL 2 Plus User’s Guide Figure 10 Home: DHCP Table The following table describes the labels in this screen. Table 7 Home: DHCP Table LABEL DESCRIPTION Interface Select an interface to show the current DHCP client information for the specified interface.
ZyWALL 2 Plus User’s Guide Figure 11 Home: VPN Status The following table describes the labels in this screen. Table 8 Home: VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 68
ZyWALL 2 Plus User’s Guide Chapter 2 Introducing the Web Configurator...
ZyWALL 2 Plus User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure the WAN port to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
ZyWALL 2 Plus User’s Guide Figure 12 ISP Parameters: Ethernet Encapsulation The following table describes the labels in this screen. Table 9 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
ZyWALL 2 Plus User’s Guide 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
ZyWALL 2 Plus User’s Guide Table 10 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignment IP Address Select Dynamic If your ISP did not assign you a fixed IP address.
ZyWALL 2 Plus User’s Guide Note: The ZyWALL supports one PPTP server connection at any given time. Figure 14 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation...
ZyWALL 2 Plus User’s Guide Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
ZyWALL 2 Plus User’s Guide Figure 16 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 15 on page 74), the following screen displays. Note: If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION Service screen.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 12 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 19 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 20 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
ZyWALL 2 Plus User’s Guide Figure 22 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel.
ZyWALL 2 Plus User’s Guide Figure 24 IPSec Fields Summary Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. Click VPN Wizard in the HOME screen to open the VPN configuration wizard.
ZyWALL 2 Plus User’s Guide Table 13 VPN Wizard: Gateway Setting LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 14 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
ZyWALL 2 Plus User’s Guide 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Figure 27 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 15 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection.
ZyWALL 2 Plus User’s Guide Table 15 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 16 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
ZyWALL 2 Plus User’s Guide Figure 29 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 17 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 86
ZyWALL 2 Plus User’s Guide Table 17 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A.
ZyWALL 2 Plus User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your ZyWALL. Figure 30 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
ZyWALL 2 Plus User’s Guide H A P T E R Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com.
ZyWALL 2 Plus User’s Guide Figure 31 Registration The following table describes the labels in this screen. Table 18 Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
ZyWALL 2 Plus User’s Guide Table 18 Registration LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated.
ZyWALL 2 Plus User’s Guide Figure 33 Registration: Service The following table describes the labels in this screen. Table 19 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
ZyWALL 2 Plus User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 5.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
ZyWALL 2 Plus User’s Guide If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
ZyWALL 2 Plus User’s Guide 5.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
ZyWALL 2 Plus User’s Guide IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
ZyWALL 2 Plus User’s Guide Figure 35 LAN The following table describes the labels in this screen. Table 20 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
ZyWALL 2 Plus User’s Guide Table 20 LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
ZyWALL 2 Plus User’s Guide Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown.
ZyWALL 2 Plus User’s Guide 5.9 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets).
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 22 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 102
ZyWALL 2 Plus User’s Guide Chapter 5 LAN Screens...
ZyWALL 2 Plus User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 6.1 Bridge The ZyWALL can serve as a transparent firewall (also known as a bridge firewall) in order to provide firewall protection against denial of service attacks without.
ZyWALL 2 Plus User’s Guide 6.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 6.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
ZyWALL 2 Plus User’s Guide 6.2.3 How STP Works After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP.
ZyWALL 2 Plus User’s Guide Figure 40 Bridge The following table describes the labels in this screen. Table 25 Bridge LABEL DESCRIPTION Bridge Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 107
ZyWALL 2 Plus User’s Guide Table 25 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest.
ZyWALL 2 Plus User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. 7.1 WAN Overview • Use the WAN Route screen to configure route priority. • Use the WAN screen to configure the WAN port for Internet access. •...
ZyWALL 2 Plus User’s Guide Figure 41 WAN Route The following table describes the labels in this screen. Table 26 WAN Route LABEL DESCRIPTION Route Priority The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
ZyWALL 2 Plus User’s Guide 7.4 WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems.
ZyWALL 2 Plus User’s Guide 7.6 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
ZyWALL 2 Plus User’s Guide Figure 42 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 29 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 114
ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login.
ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
ZyWALL 2 Plus User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. The screen shown next is for PPPoE encapsulation. Figure 43 WAN: PPPoE Encapsulation Chapter 7 WAN Screens...
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 118
ZyWALL 2 Plus User’s Guide Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.
ZyWALL 2 Plus User’s Guide 7.7.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 121
ZyWALL 2 Plus User’s Guide Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION Enable NAT Network Address Translation (NAT) allows the translation of an Internet protocol (Network Address address used within one network (for example a private IP address used in a local Translation) network) to a different IP address known within another network (for example a public IP address used on the Internet).
ZyWALL 2 Plus User’s Guide 7.8 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection. In the following figure, your ZyWALL is labeled A, the gateway is labeled B and the backup gateway is labeled C.
ZyWALL 2 Plus User’s Guide Figure 47 Traffic Redirect The following table describes the labels in this screen. Table 32 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
ZyWALL 2 Plus User’s Guide Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. Figure 48 Dial Backup Chapter 7 WAN Screens...
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 33 Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP.
Page 126
ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.11 Advanced Modem Setup 7.11.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
ZyWALL 2 Plus User’s Guide Figure 49 Advanced Setup The following table describes the labels in this screen. Table 34 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 129
ZyWALL 2 Plus User’s Guide Table 34 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 130
ZyWALL 2 Plus User’s Guide Chapter 7 WAN Screens...
ZyWALL 2 Plus User’s Guide H A P T E R Firewall Screens This chapter shows you how to configure your ZyWALL’s firewall. 8.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks.
ZyWALL 2 Plus User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
ZyWALL 2 Plus User’s Guide 8.3 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 35 Blocking All LAN to WAN IRC Traffic Example SOURCE DESTINATION SCHEDULE SERVICE ACTION Drop Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 36 Limited LAN to WAN IRC Traffic Example SOURCE DESTINATION SCHEDULE SERVICE ACTION 192.168.1.7 Allow Drop Default Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 37 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
ZyWALL 2 Plus User’s Guide Figure 54 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 38 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
ZyWALL 2 Plus User’s Guide 8.7 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. Note: The ordering of your rules is very important as rules are applied in the order that they are listed.
ZyWALL 2 Plus User’s Guide Table 39 Rule Summary LABEL DESCRIPTION Destination This drop-down list box displays the destination addresses or ranges of addresses to Address which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. Service Type This drop-down list box displays the services to which this firewall rule applies.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 40 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
ZyWALL 2 Plus User’s Guide Table 40 Firewall Edit Rule LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 41 Anti-Probing LABEL DESCRIPTION Respond to PING Select the interface that you want to reply to incoming Ping requests. Select Disable to have the ZyWALL not respond to any incoming Ping requests. Do not respond to Select this option to prevent hackers from finding the ZyWALL by probing for requests for...
ZyWALL 2 Plus User’s Guide 8.10 Firewall Thresholds For DoS attacks, the ZyWALL uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions. For TCP, half-open means that the session has not reached the established state-the TCP three- way handshake has not yet been completed.
ZyWALL 2 Plus User’s Guide If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyWALL may classify them as DoS attacks. 8.11 Threshold Screen Click SECURITY >...
ZyWALL 2 Plus User’s Guide Table 42 Firewall Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions per minute that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
ZyWALL 2 Plus User’s Guide Figure 61 Firewall Service The following table describes the labels in this screen. Table 43 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. This is the index number of the custom service. Service Name This is the name of the service.
ZyWALL 2 Plus User’s Guide Table 43 Firewall Service LABEL DESCRIPTION Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined This table shows all the services that are already configured for use in firewall Service rules.
ZyWALL 2 Plus User’s Guide Table 44 Firewall Edit Custom Service LABEL DESCRIPTION Type/Code This field is available only when you select ICMP in the IP Protocol field. The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any.
ZyWALL 2 Plus User’s Guide 8.14 My Service Firewall Rule Example The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 64 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply.
ZyWALL 2 Plus User’s Guide Figure 66 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 67 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.
ZyWALL 2 Plus User’s Guide Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box. Figure 68 My Service Firewall Rule Example: Rule Configuration Chapter 8 Firewall Screens...
ZyWALL 2 Plus User’s Guide Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 69 My Service Firewall Rule Example: Rule Summary Chapter 8 Firewall Screens...
ZyWALL 2 Plus User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 9.1 Content Filtering Overview Content filtering allows you to block web features such as ActiveX controls, Java applets and cookies and disable web proxies.
ZyWALL 2 Plus User’s Guide Figure 70 Content Filter: General The following table describes the labels in this screen. Table 45 Content Filter: General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Restrict Web Features Select the check box(es) to restrict a feature.
ZyWALL 2 Plus User’s Guide Table 45 Content Filter: General LABEL DESCRIPTION Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server.
ZyWALL 2 Plus User’s Guide Figure 71 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
ZyWALL 2 Plus User’s Guide Figure 72 Content Filter: Categories The following table describes the labels in this screen. Table 46 Content Filter: Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 160
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 161
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 162
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 163
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 164
ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
ZyWALL 2 Plus User’s Guide 9.5 Content Filter Customization Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 47 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
ZyWALL 2 Plus User’s Guide Table 47 Content Filter: Customization (continued) LABEL DESCRIPTION Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list.
ZyWALL 2 Plus User’s Guide Use the command ip urlfilter customize actionFlags 8 [disable | enable] to extend (or not extend) the keyword blocking search to include the URL's complete filename. 9.7 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 48 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
ZyWALL 2 Plus User’s Guide H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 4 on page 89 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
ZyWALL 2 Plus User’s Guide Figure 75 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 77 on page 173).
ZyWALL 2 Plus User’s Guide Figure 77 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 77 on page 173). Type your myZyXEL.com account password in the Password field.
ZyWALL 2 Plus User’s Guide Figure 79 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 80 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
ZyWALL 2 Plus User’s Guide Figure 81 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Chapter 10 Content Filtering Reports...
ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example 10.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
ZyWALL 2 Plus User’s Guide Figure 83 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. Chapter 10 Content Filtering Reports...
ZyWALL 2 Plus User’s Guide H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 11.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
ZyWALL 2 Plus User’s Guide Figure 85 VPN: IKE SA and IPSec SA In some situations, you might want to set up a VPN tunnel quickly and temporarily. In this case, you can create an IPSec SA using manual keys. In this kind of VPN tunnel, there is no IKE SA, and you specify the encryption and authentication keys manually.
ZyWALL 2 Plus User’s Guide Main mode is illustrated by the example below, where the ZyWALL (X) is initiating an IKE Figure 86 IKE SA: Main Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see Section 11.1.4.1 on page 187) - authentication algorithm (see Section 11.1.4.1 on page...
ZyWALL 2 Plus User’s Guide Main mode provides better security because your identity is encrypted in steps 5 and 6. The trade-off is the number of steps it takes to establish the IKE SA. In contrast, aggressive mode is faster but does not provide as much security. This mode is illustrated below. Figure 87 IKE SA: Aggressive Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see...
ZyWALL 2 Plus User’s Guide • authentication method (and extended authentication) - these characteristics control how the ZyWALL and remote IPSec router authenticate each other. • additional properties - these characteristics include the IKE SA life time, NAT traversal, and so on. See Section 11.1.2.3 on page 186 for SA life time, Section 11.1.4.3 on page...
ZyWALL 2 Plus User’s Guide The ZyWALL and the remote IPSec router authenticate each other using an ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification.
ZyWALL 2 Plus User’s Guide Extended authentication is helpful when multiple IPSec routers use one VPN rule to connect to a single IPSec router. In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) verifies a user name and password from the other router using the local user database or an external RADIUS server.
ZyWALL 2 Plus User’s Guide 11.1.2.2 Local and Remote Network If IPSec SAs have overlapping local networks and overlapping remote networks, only one of these IPSec SAs can be set to active at a time. If a packet has to be routed through an overlapping (inactive) connection, it is dropped.
ZyWALL 2 Plus User’s Guide uniquely identify a particular security association. When an IPSec SA using manual keys is established, the SPI is transmitted from the remote IPSec router to the ZyWALL. The ZyWALL then uses the network, encryption and key values that the administrator associated with the SPI to establish the IPSec SA.
ZyWALL 2 Plus User’s Guide There is a relationship between the active protocol and the types of encryption and authentication algorithms that are available. This relationship is illustrated in Table 51 on page 188, where more information is also provided about each type of encryption and authentication algorithm.
ZyWALL 2 Plus User’s Guide 11.1.4.2 Encapsulation IPSec VPNs use either transport mode or tunnel mode to encapsulate packets. These modes are illustrated below. Table 52 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header Data Header Transport Mode Packet IPSec IP Header Data...
ZyWALL 2 Plus User’s Guide 11.1.4.3 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec SA using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address.
ZyWALL 2 Plus User’s Guide 11.1.4.4 SA Life Time One characteristic of SAs is the SA life time. The SA lifetime specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: •...
ZyWALL 2 Plus User’s Guide Figure 89 IPSec High Availability 11.2 VPN Rules (IKE) A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. This is used in setting up the IKE (phase 1) security association (SA).
ZyWALL 2 Plus User’s Guide Figure 91 IPSec Fields Summary Click VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use IKE SAs. Figure 92 VPN Rules (IKE) The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 54 VPN Rules (IKE) (continued) LABEL DESCRIPTION This represents your ZyWALL. ZyWALL The WAN IP address, domain name or dynamic domain name of your ZyWALL displays in router mode. The ZyWALL’s IP address displays in bridge mode. Remote This represents the remote secure gateway.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 55 VPN Rules (IKE): Gateway Policy: Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 197
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Fail back to Select this to have the ZyWALL fall back to using the primary remote gateway if Primary Remote the connection becomes available again. Gateway when possible Fail Back Check...
Page 198
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address. •...
Page 199
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ user names and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 13 on page...
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Enable Multiple Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 Proposals encryption and authentication algorithms when negotiating an IPSec SA. When you enable multiple proposals, the ZyWALL allows the remote IPSec router to select which encryption and authentication algorithms to use for the VPN tunnel, even if they are less secure than the ones you configure for the VPN rule.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 56 VPN Rules (IKE): Network Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 203
ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
ZyWALL 2 Plus User’s Guide Figure 95 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 57 VPN Rules (IKE): Network Policy Move LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy. Information Name This field displays the policy name.
ZyWALL 2 Plus User’s Guide Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. Figure 96 VPN Rules (Manual) The following table describes the labels in this screen.
ZyWALL 2 Plus User’s Guide Table 58 VPN Rules (Manual) (continued) LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Remote Gateway This is the static WAN IP address or domain name of the remote IPSec router. Address Modify Click the edit icon to edit the VPN policy.
ZyWALL 2 Plus User’s Guide Figure 97 VPN Rules (Manual): Edit The following table describes the labels in this screen. Table 59 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy.
Page 209
ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec Addr router with which you're making the VPN connection. Manual Proposal Type a unique SPI (Security Parameter Index) from one to four characters long.
ZyWALL 2 Plus User’s Guide Figure 98 VPN: SA Monitor The following table describes the labels in this screen. Table 60 VPN: SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 99 VPN: Global Setting The following table describes the labels in this screen. Table 61 VPN: Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
ZyWALL 2 Plus User’s Guide Table 61 VPN: Global Setting (continued) LABEL DESCRIPTION VPN rules skip applying When you configure a VPN rule, the ZyWALL checks to make sure that the IP to the overlap range of addresses in the local and remote networks do not overlap. Select this check local and remote IP box to disable the check if you need to configure a VPN policy with addresses...
ZyWALL 2 Plus User’s Guide Table 62 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Remote Gateway Public static IP address 0.0.0.0 With this IP address only Address: the telecommuter can initiate the IPSec tunnel.
ZyWALL 2 Plus User’s Guide Table 63 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com...
ZyWALL 2 Plus User’s Guide In the following example, the VPN rule’s local network (A) includes the ZyWALL’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface.
ZyWALL 2 Plus User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 12.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
ZyWALL 2 Plus User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
ZyWALL 2 Plus User’s Guide 12.4 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 104 My Certificates The following table describes the labels in this screen.
Page 220
ZyWALL 2 Plus User’s Guide Table 64 My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
ZyWALL 2 Plus User’s Guide 12.5 My Certificate Import Click SECURITY > CERTIFICATES > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL. Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 65 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 66 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
ZyWALL 2 Plus User’s Guide Table 66 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 67 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
ZyWALL 2 Plus User’s Guide Table 67 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
ZyWALL 2 Plus User’s Guide Figure 108 Trusted CAs The following table describes the labels in this screen. Table 68 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
ZyWALL 2 Plus User’s Guide Table 68 Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates.
ZyWALL 2 Plus User’s Guide 12.10 Trusted CA Details Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 70 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
ZyWALL 2 Plus User’s Guide Table 70 Trusted CA Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) Name or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
ZyWALL 2 Plus User’s Guide Figure 111 Trusted Remote Hosts The following table describes the labels in this screen. Table 71 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
ZyWALL 2 Plus User’s Guide Table 71 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
ZyWALL 2 Plus User’s Guide Figure 113 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 12.13 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
ZyWALL 2 Plus User’s Guide Figure 114 Trusted Remote Host Import The following table describes the labels in this screen. Table 72 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
ZyWALL 2 Plus User’s Guide Figure 115 Trusted Remote Host Details The following table describes the labels in this screen. Table 73 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 238
ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate.
ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 74 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 75 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Page 242
ZyWALL 2 Plus User’s Guide Chapter 12 Certificates...
ZyWALL 2 Plus User’s Guide H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 13.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or a RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) server for an unlimited number of users.
ZyWALL 2 Plus User’s Guide 13.3.1 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the ZyWALL and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. •...
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 76 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 77 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
ZyWALL 2 Plus User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 14.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
ZyWALL 2 Plus User’s Guide 14.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
ZyWALL 2 Plus User’s Guide 14.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. In this example, corporation A’s networks are labeled A, and Corporation B’s networks are labeled B.
ZyWALL 2 Plus User’s Guide 14.1.5 Port Restricted Cone NAT At the time of writing ZyWALL ZyNOS version 4.00 uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network.
ZyWALL 2 Plus User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. The following table summarizes these types.
ZyWALL 2 Plus User’s Guide 14.3 NAT Overview Click ADVANCED > NAT to open the NAT Overview screen. Figure 123 NAT Overview The following table describes the labels in this screen. Table 81 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL Sessions will permit at one time.
ZyWALL 2 Plus User’s Guide 14.4 NAT Address Mapping Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 82 NAT Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules This is the rule index number. Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address.
ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit The following table describes the labels in this screen. Table 83 NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address.
ZyWALL 2 Plus User’s Guide 14.5 Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
ZyWALL 2 Plus User’s Guide Figure 126 Multiple Servers Behind NAT Example 14.5.4 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the LAN.
ZyWALL 2 Plus User’s Guide 14.6 Port Forwarding Screen Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Refer to Appendix E on page 541 for port numbers commonly used for particular services.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 84 Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
ZyWALL 2 Plus User’s Guide Figure 129 Port Forwarding 14.8 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
ZyWALL 2 Plus User’s Guide For example: Figure 130 Trigger Port Forwarding Process: Example 1 Jane’s computer, labeled J in the figure, requests a file from the Real Audio server (port 7070) labeled S in the figure. 2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address.
ZyWALL 2 Plus User’s Guide Figure 131 Port Triggering The following table describes the labels in this screen. Table 85 Port Triggering LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
ZyWALL 2 Plus User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 15.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
ZyWALL 2 Plus User’s Guide Figure 133 IP Static Route The following table describes the labels in this screen. Table 86 IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No).
ZyWALL 2 Plus User’s Guide Figure 134 IP Static Route Edit The following table describes the labels in this screen. Table 87 IP Static Route Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route.
ZyWALL 2 Plus User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 16.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.
ZyWALL 2 Plus User’s Guide 16.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 16.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
ZyWALL 2 Plus User’s Guide 16.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 88 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A...
ZyWALL 2 Plus User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
ZyWALL 2 Plus User’s Guide 16.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets. Table 90 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS Root Class: 10240 kbps Administration: Priority 4, 1024 kbps...
ZyWALL 2 Plus User’s Guide 16.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth.
ZyWALL 2 Plus User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
ZyWALL 2 Plus User’s Guide Figure 136 Bandwidth Management: Summary The following table describes the labels in this screen. Table 93 Bandwidth Management: Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
ZyWALL 2 Plus User’s Guide 16.11 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class.
ZyWALL 2 Plus User’s Guide Table 94 Bandwidth Management: Class Setup (continued) LABEL DESCRIPTION Edit Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its sub-classes. You cannot delete the root class.
ZyWALL 2 Plus User’s Guide Figure 138 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 95 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 280
ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. Table 96 Services and Port Numbers SERVICES PORT NUMBER ECHO...
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 97 Bandwidth Management: Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 98 Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class.
ZyWALL 2 Plus User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 17.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
ZyWALL 2 Plus User’s Guide 17.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
ZyWALL 2 Plus User’s Guide Figure 141 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 99 System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
ZyWALL 2 Plus User’s Guide Figure 143 System DNS: Add Address Record The following table describes the labels in this screen. Table 100 System DNS: Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.
ZyWALL 2 Plus User’s Guide Figure 144 System DNS: Insert Name Server Record The following table describes the labels in this screen. Table 101 System DNS: Insert Name Server Record LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
ZyWALL 2 Plus User’s Guide 17.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 102 DNS Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
ZyWALL 2 Plus User’s Guide Figure 146 DNS DHCP The following table describes the labels in this screen. Table 103 DNS DHCP LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address to the Assigned by DHCP DHCP clients.
ZyWALL 2 Plus User’s Guide 17.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
ZyWALL 2 Plus User’s Guide Figure 147 DDNS The following table describes the labels in this screen. Table 104 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name.
Page 296
ZyWALL 2 Plus User’s Guide Table 104 DDNS LABEL DESCRIPTION IP Address Update Select Use WAN IP Address to have the ZyWALL update the domain name Policy with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address.
ZyWALL 2 Plus User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
ZyWALL 2 Plus User’s Guide 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running.
ZyWALL 2 Plus User’s Guide Figure 148 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to change your ZyWALL’s web settings.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 105 WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
ZyWALL 2 Plus User’s Guide 18.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 151 Security Certificate 1 (Netscape) Figure 152 Security Certificate 2 (Netscape) 18.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. •...
ZyWALL 2 Plus User’s Guide • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.
ZyWALL 2 Plus User’s Guide Figure 154 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Figure 155 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
ZyWALL 2 Plus User’s Guide Figure 156 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 157 Common ZyWALL Certificate Chapter 18 Remote Management...
ZyWALL 2 Plus User’s Guide 18.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. The SSH server is labeled A, and the SSH client is labeled B.
ZyWALL 2 Plus User’s Guide The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys.
ZyWALL 2 Plus User’s Guide Figure 159 SSH The following table describes the labels in this screen. Table 107 SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 12 on page 217 details).
ZyWALL 2 Plus User’s Guide 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 160 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 162 SSH Example 2: Log in $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
ZyWALL 2 Plus User’s Guide 18.11 Telnet You can configure your ZyWALL for remote Telnet access as shown next. The computer using telnet to access the LAN is labeled A, and the arrow shows the direction of incoming traffic. Figure 164 Telnet Configuration on a TCP/IP Network 18.12 Configuring TELNET Click ADVANCED >...
ZyWALL 2 Plus User’s Guide Table 108 Telnet (continued) LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ZyWALL 2 Plus User’s Guide Table 109 FTP LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ZyWALL 2 Plus User’s Guide An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
ZyWALL 2 Plus User’s Guide 18.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. Figure 168 SNMP The following table describes the labels in this screen. Table 111 SNMP LABEL DESCRIPTION SNMP...
ZyWALL 2 Plus User’s Guide Table 111 SNMP (continued) LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ZyWALL 2 Plus User’s Guide Table 112 DNS LABEL DESCRIPTION Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. 18.16 Introducing Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 113 CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
ZyWALL 2 Plus User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 19.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
ZyWALL 2 Plus User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 19.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
ZyWALL 2 Plus User’s Guide Table 114 UPnP LABEL DESCRIPTION Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration configure the ZyWALL so that they can communicate through the ZyWALL, changes through for example by using NAT traversal, UPnP applications automatically reserve UPnP a NAT forwarding port in order to communicate with another UPnP enabled device;...
ZyWALL 2 Plus User’s Guide Table 115 UPnP Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
ZyWALL 2 Plus User’s Guide 19.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start > Settings > Control Panel. Double-click Add/Remove Programs. 2 Click Windows Setup and select Communication in the Components selection box.
ZyWALL 2 Plus User’s Guide 19.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start > Settings > Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
ZyWALL 2 Plus User’s Guide 19.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start > Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
ZyWALL 2 Plus User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 329
ZyWALL 2 Plus User’s Guide Follow the steps below to access the web configurator. 1 Click Start > Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 330
ZyWALL 2 Plus User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 19 UPnP...
Page 331
ZyWALL 2 Plus User’s Guide Chapter 19 UPnP...
Page 332
ZyWALL 2 Plus User’s Guide Chapter 19 UPnP...
ZyWALL 2 Plus User’s Guide H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 20.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL.
ZyWALL 2 Plus User’s Guide 20.2 FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files.
ZyWALL 2 Plus User’s Guide 20.5 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
ZyWALL 2 Plus User’s Guide 20.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period.
Page 337
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 116 ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
ZyWALL 2 Plus User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix N on page 587 for example log message explanations. 21.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
ZyWALL 2 Plus User’s Guide Table 117 View Log (continued) LABEL DESCRIPTION Time This field displays the time the log was recorded. See Section 22.4 on page 353 configure the ZyWALL’s time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet.
ZyWALL 2 Plus User’s Guide 21.2.1 Certificate Not Trusted Log Note myZyXEL.com and the update server use certificate signed by VeriSign to identify themselves. The default configuration file includes a trusted CA certificate signed by VeriSign. If the ZyWALL does not have a CA certificate signed by VeriSign as a trusted CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server.
ZyWALL 2 Plus User’s Guide Figure 178 myZyXEL.com: Certificate Download 21.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 119 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
ZyWALL 2 Plus User’s Guide Table 119 Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes...
ZyWALL 2 Plus User’s Guide Figure 180 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 120 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data. Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic Traffic Statistics...
ZyWALL 2 Plus User’s Guide 21.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
ZyWALL 2 Plus User’s Guide Figure 182 Protocol/Port Report Example The following table describes the labels in this screen. Table 122 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 183 Host IP Address Report Example The following table describes the labels in this screen. Table 123 Host IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
ZyWALL 2 Plus User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 22.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 22.2 General Setup 22.2.1 General Setup and System Name General Setup contains administrative and system-related information.
ZyWALL 2 Plus User’s Guide Figure 184 General Setup The following table describes the labels in this screen. Table 125 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
ZyWALL 2 Plus User’s Guide Figure 185 Password Setup The following table describes the labels in this screen. Table 126 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
ZyWALL 2 Plus User’s Guide Figure 186 Time and Date The following table describes the labels in this screen. Table 127 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 355
ZyWALL 2 Plus User’s Guide Table 127 Time and Date (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
ZyWALL 2 Plus User’s Guide 22.5 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of NTP time servers.
ZyWALL 2 Plus User’s Guide When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 187 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully.
ZyWALL 2 Plus User’s Guide 22.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port.
ZyWALL 2 Plus User’s Guide 3 As a transparent bridge does not modify the frames it forwards, it is effectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex environments that require a rapid or new firewall deployment.
ZyWALL 2 Plus User’s Guide Table 130 Device Mode (Router Mode) (continued) LABEL DESCRIPTION Bridge Select this radio button and configure the following fields, then click Apply to set the ZyWALL to bridge mode. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Enter the IP subnet mask of the ZyWALL.
ZyWALL 2 Plus User’s Guide Table 131 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. LAN Interface IP Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. Address 192.168.1.1 is the factory default.
ZyWALL 2 Plus User’s Guide Figure 192 Firmware Upload The following table describes the labels in this screen. Table 132 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
ZyWALL 2 Plus User’s Guide Figure 194 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
ZyWALL 2 Plus User’s Guide Figure 196 Backup and Restore 22.11.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
ZyWALL 2 Plus User’s Guide Note: Do not turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 197 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect.
ZyWALL 2 Plus User’s Guide 22.11.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear. Figure 200 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL.
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 23.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 2 Plus User’s Guide Table 134 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the [ENTER] or [UP]/ Within a menu, press [ENTER] to move to the next field. You can cursor [DOWN] arrow also use the [UP]/[DOWN] arrow keys to move to the previous and keys the next field, respectively.
ZyWALL 2 Plus User’s Guide Figure 204 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 135 Main Menu Summary NO. MENU TITLE FUNCTION General Setup Use this menu to set up device mode, dynamic DNS and administrative information. WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection.
ZyWALL 2 Plus User’s Guide Table 136 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and 24.2.1 System Information Console Port Speed 24.2.2 Console Port Speed 24.3 Log and Trace 24.3.1 View Error Log 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic...
ZyWALL 2 Plus User’s Guide 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 23.5 Resetting the ZyWALL Section 2.3 on page 54 for directions on resetting the ZyWALL.
ZyWALL 2 Plus User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 24.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 24.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
ZyWALL 2 Plus User’s Guide Table 137 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”...
ZyWALL 2 Plus User’s Guide 24.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= MyDevice DDNS Type= DynamicDNS Enable Wildcard Option= No Enable Off Line Option= N/A IP Address Update Policy: Let DDNS Server Auto Detect= No Use User-Defined= No Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 380
ZyWALL 2 Plus User’s Guide Table 141 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION Let DDNS Only select this option when there are one or more NAT routers between the ZyWALL Server Auto and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to Detect have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.
ZyWALL 2 Plus User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 25.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this screen. Table 142 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
ZyWALL 2 Plus User’s Guide Figure 213 Menu 2: Dial Backup Setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= Yes Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
ZyWALL 2 Plus User’s Guide Figure 214 Menu 2.1: Advanced WAN Setup Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= atdt Dial Timeout(sec)= 60 Drop= ~~+++~~ath Retry Count= 0 Answer= ata Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Drop DTR When Hang Up= Yes Call Back Delay(sec)= 15 AT Response Strings:...
ZyWALL 2 Plus User’s Guide Table 145 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
ZyWALL 2 Plus User’s Guide Figure 215 Menu 11.2: Remote Node Profile (Backup ISP) Menu 11.2 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My Password= ******** Telco Option: Retype to Confirm= ********...
ZyWALL 2 Plus User’s Guide Table 146 Menu 11.2: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.2.2 - Remote Node Network Layer Options. See Section 25.8 on page 388 for more information.
ZyWALL 2 Plus User’s Guide Figure 216 Menu 11.2.1: Remote Node PPP Options Menu 11.2.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
ZyWALL 2 Plus User’s Guide Figure 217 Menu 11.2.2: Remote Node Network Layer Options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only Metric= 15 Private= No RIP Direction= None...
ZyWALL 2 Plus User’s Guide Table 148 Menu 11.2.2: Remote Node Network Layer Options FIELD DESCRIPTION Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group.
ZyWALL 2 Plus User’s Guide after you enter the password, then you should create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server. If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout”...
ZyWALL 2 Plus User’s Guide Use menu 11.2.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
ZyWALL 2 Plus User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 26.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 26.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup.
ZyWALL 2 Plus User’s Guide Figure 221 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 26.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
ZyWALL 2 Plus User’s Guide Figure 223 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 First DNS Server= From ISP...
ZyWALL 2 Plus User’s Guide Table 150 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
ZyWALL 2 Plus User’s Guide 26.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. You must use menu 3.2 to configure the first network.
Page 398
ZyWALL 2 Plus User’s Guide Table 152 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 2 Plus User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 27.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 153 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
ZyWALL 2 Plus User’s Guide 27.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
ZyWALL 2 Plus User’s Guide Figure 227 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
ZyWALL 2 Plus User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 28.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
ZyWALL 2 Plus User’s Guide 28.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next.
ZyWALL 2 Plus User’s Guide Table 156 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Login This field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the ZyWALL calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server.
ZyWALL 2 Plus User’s Guide Figure 230 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Bridge= No Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing:...
ZyWALL 2 Plus User’s Guide 28.3.2.3 Metric Section 7.2 on page 109 for details on the Metric field. Table 157 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
ZyWALL 2 Plus User’s Guide Figure 231 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Bridge= No Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing:...
ZyWALL 2 Plus User’s Guide Figure 232 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
ZyWALL 2 Plus User’s Guide Table 159 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
ZyWALL 2 Plus User’s Guide Figure 235 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
ZyWALL 2 Plus User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 29.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
ZyWALL 2 Plus User’s Guide Figure 237 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL:...
ZyWALL 2 Plus User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 30.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 238 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 162 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
ZyWALL 2 Plus User’s Guide Figure 241 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: 30.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 30.1.1 on page 415).
ZyWALL 2 Plus User’s Guide Table 163 SUA Address Mapping Rules FIELD DESCRIPTION Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA).
ZyWALL 2 Plus User’s Guide 30.2.1.3 Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
ZyWALL 2 Plus User’s Guide Figure 244 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
ZyWALL 2 Plus User’s Guide 30.3 Configuring a Server Behind NAT Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
ZyWALL 2 Plus User’s Guide Figure 246 15.2.x: NAT Server Configuration 15.2.3 - NAT Server Configuration Index= 2 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
ZyWALL 2 Plus User’s Guide Figure 247 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
ZyWALL 2 Plus User’s Guide Figure 249 NAT Example 1 Figure 250 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic...
ZyWALL 2 Plus User’s Guide 30.4.2 Example 2: Internet Access with a Default Server Figure 251 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NAT as shown in the next figure.
ZyWALL 2 Plus User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
ZyWALL 2 Plus User’s Guide 7 When finished, menu 15.1.1 should look like as shown in Figure 256 on page 429. Figure 254 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only...
ZyWALL 2 Plus User’s Guide Figure 256 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
ZyWALL 2 Plus User’s Guide Figure 257 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: 30.4.4 Example 4: NAT Unfriendly Application Programs...
ZyWALL 2 Plus User’s Guide Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 259 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1...
ZyWALL 2 Plus User’s Guide Figure 260 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1...
ZyWALL 2 Plus User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. Figure 261 Menu 15.3: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule...
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 31.1 Accessing the Firewall Settings The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer.
ZyWALL 2 Plus User’s Guide Figure 263 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
ZyWALL 2 Plus User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 32.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
ZyWALL 2 Plus User’s Guide 32.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
ZyWALL 2 Plus User’s Guide Figure 265 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 2 Plus User’s Guide 32.2 Packet Filtering Versus Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 32.2.1 Packet Filtering Packet filtering restricts access based on the source/destination computer network address of a packet and the type of application. •...
ZyWALL 2 Plus User’s Guide 32.2.2.1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network. 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required.
ZyWALL 2 Plus User’s Guide Figure 267 Menu 21.1: Filter Set Configuration Menu 21.1 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 0...
ZyWALL 2 Plus User’s Guide The protocol dependent filter rules abbreviation are listed as follows: Table 170 Rule Abbreviations Used ABBREVIATION DESCRIPTION Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number Off Offset Len Length Refer to the next section for information on configuring the filter rules.
ZyWALL 2 Plus User’s Guide Figure 268 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr=...
Page 445
ZyWALL 2 Plus User’s Guide Table 171 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Enter the source port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0. Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the source port in the packet against the value given in Source: Port #.
ZyWALL 2 Plus User’s Guide Figure 269 Executing an IP Filter 32.3.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 32 Filter Configuration...
ZyWALL 2 Plus User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
ZyWALL 2 Plus User’s Guide Table 172 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No.
ZyWALL 2 Plus User’s Guide 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure.
ZyWALL 2 Plus User’s Guide Figure 273 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- ----------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type =...
ZyWALL 2 Plus User’s Guide Figure 274 Protocol and Device Filter Sets 32.6 Firewall Versus Filters Firewall configuration is discussed in Chapter 8 on page 131. Further comparisons are also made between filtering, NAT and the firewall. 32.7 Applying a Filter This section shows you where to apply the filter(s) after you design it (them).
ZyWALL 2 Plus User’s Guide Figure 275 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 32.7.2 Applying Remote Node Filters Go to menu 11.1.4 (shown below –...
ZyWALL 2 Plus User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 33.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
ZyWALL 2 Plus User’s Guide Table 173 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
ZyWALL 2 Plus User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 34.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
ZyWALL 2 Plus User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 279 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 07:15:51 Fri.
ZyWALL 2 Plus User’s Guide Table 175 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left.
ZyWALL 2 Plus User’s Guide Figure 281 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
ZyWALL 2 Plus User’s Guide Figure 282 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 34.4 Log and Trace There are two logging facilities in the ZyWALL.
ZyWALL 2 Plus User’s Guide Figure 284 Examples of Error and Information Messages 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up 55 Thu Jul 1 05:54:56 2004 PP0d INFO LAN promiscuous mode <0>...
Page 461
ZyWALL 2 Plus User’s Guide 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call...
Page 462
ZyWALL 2 Plus User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP")
ZyWALL 2 Plus User’s Guide 34.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 286 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
ZyWALL 2 Plus User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 287 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1.
Page 465
ZyWALL 2 Plus User’s Guide Table 178 System Maintenance Menu Diagnostic FIELD DESCRIPTION Host IP Address If you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field. Enter the number of the selection you would like to perform or press [ESC] to cancel.
Page 466
ZyWALL 2 Plus User’s Guide Chapter 34 System Information & Diagnosis...
ZyWALL 2 Plus User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 35.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.
ZyWALL 2 Plus User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
ZyWALL 2 Plus User’s Guide Figure 288 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
ZyWALL 2 Plus User’s Guide 35.3.3 Example of FTP Commands from the Command Line Figure 289 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds...
ZyWALL 2 Plus User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 35.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
ZyWALL 2 Plus User’s Guide 35.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 181 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
ZyWALL 2 Plus User’s Guide Figure 292 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
ZyWALL 2 Plus User’s Guide Figure 294 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
ZyWALL 2 Plus User’s Guide 35.4.2 Restore Using FTP Session Example Figure 295 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
ZyWALL 2 Plus User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 299 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 35.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
ZyWALL 2 Plus User’s Guide Figure 300 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
ZyWALL 2 Plus User’s Guide 35.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a user name. 4 Enter your password as requested (the default is “1234”).
ZyWALL 2 Plus User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –...
ZyWALL 2 Plus User’s Guide Figure 303 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
ZyWALL 2 Plus User’s Guide Figure 305 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 482
ZyWALL 2 Plus User’s Guide Chapter 35 Firmware and Configuration File Maintenance...
ZyWALL 2 Plus User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 308 Valid Commands Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ras> ? Valid commands are:...
ZyWALL 2 Plus User’s Guide 36.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times.
ZyWALL 2 Plus User’s Guide Figure 310 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
ZyWALL 2 Plus User’s Guide Figure 311 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 184 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
ZyWALL 2 Plus User’s Guide Figure 312 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 490
ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
ZyWALL 2 Plus User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 37.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: •...
ZyWALL 2 Plus User’s Guide Figure 314 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert...
ZyWALL 2 Plus User’s Guide 37.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11.
ZyWALL 2 Plus User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 38.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
ZyWALL 2 Plus User’s Guide Table 187 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line.
ZyWALL 2 Plus User’s Guide Figure 318 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
ZyWALL 2 Plus User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
ZyWALL 2 Plus User’s Guide 39.3 Problems with the WAN Interface Table 190 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP The ISP provides the WAN IP address after authentication. Authentication may address from the be through the user name and password, the MAC address or the host name. ISP.
ZyWALL 2 Plus User’s Guide Table 191 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the Make sure that there is not an SMT console session running. web configurator. Use the ZyWALL’s WAN IP address when configuring from the WAN. Refer to the instructions on checking your WAN connection.
ZyWALL 2 Plus User’s Guide 39.4.1.1.1 Disable pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 319 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.
ZyWALL 2 Plus User’s Guide 39.4.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools > Internet Options> Privacy. 2 Select Settings…to open the Pop-up Blocker Settings screen. Figure 321 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”.
ZyWALL 2 Plus User’s Guide Figure 322 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 39.4.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
ZyWALL 2 Plus User’s Guide Figure 323 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
ZyWALL 2 Plus User’s Guide Figure 324 Security Settings - Java Scripting 39.4.1.3 Java Permissions 1 From Internet Explorer, click Tools > Internet Options > Security. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
ZyWALL 2 Plus User’s Guide Figure 325 Security Settings - Java 39.4.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools > Internet Options > Advanced. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Chapter 39 Troubleshooting...
ZyWALL 2 Plus User’s Guide Figure 326 Java (Sun) 39.5 Packet Flow The following is the packet check flow on the ZyWALL. LAN to WAN: LAN Data and Call Filtering (in SMT menu 21) -> Firewall -> Remote Node Data Filtering (in SMT menu 21) -> Content Filtering -> NAT WAN to LAN: Remote Node Data Filtering (in SMT menu 21) ->...
ZyWALL 2 Plus User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 192 Device Specifications Default LAN IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234...
ZyWALL 2 Plus User’s Guide Table 194 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP...
ZyWALL 2 Plus User’s Guide Figure 328 Ethernet Cable Pin Assignments Wall Mounting Specifications Use two M4 x 30 mm screws to wall-mount the ZyWALL. The holes for the wall-mounting screws should be 108 mm apart. Power Adaptor Specifications Table 198 Power Adaptor Specifications AC Power Adapter Model PSA18R-120P Input Power...
Page 514
ZyWALL 2 Plus User’s Guide Appendix A Product Specifications...
ZyWALL 2 Plus User’s Guide P P E N D I X Wall-mounting Instructions Do the following to hang your ZyWALL on a wall. Note: See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions.
Page 516
ZyWALL 2 Plus User’s Guide Appendix B Wall-mounting Instructions...
ZyWALL 2 Plus User’s Guide P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
ZyWALL 2 Plus User’s Guide Figure 330 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
ZyWALL 2 Plus User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
ZyWALL 2 Plus User’s Guide Figure 332 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
ZyWALL 2 Plus User’s Guide Figure 333 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 334 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix C Setting up Your Computer’s IP Address...
ZyWALL 2 Plus User’s Guide Figure 335 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 336 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
ZyWALL 2 Plus User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 337 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
ZyWALL 2 Plus User’s Guide Figure 338 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). •...
ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
ZyWALL 2 Plus User’s Guide Figure 340 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 341 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix C Setting up Your Computer’s IP Address...
ZyWALL 2 Plus User’s Guide 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
ZyWALL 2 Plus User’s Guide Figure 343 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
ZyWALL 2 Plus User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
ZyWALL 2 Plus User’s Guide • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
ZyWALL 2 Plus User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfig- configuration file (where is the name of the Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. •...
ZyWALL 2 Plus User’s Guide P P E N D I X IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
ZyWALL 2 Plus User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
ZyWALL 2 Plus User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...
ZyWALL 2 Plus User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet.
ZyWALL 2 Plus User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow”...
ZyWALL 2 Plus User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
Page 540
ZyWALL 2 Plus User’s Guide Appendix D IP Subnetting...
ZyWALL 2 Plus User’s Guide Appendix E Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 542
ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICMP User-Defined Internet Control Message Protocol is often...
Page 543
ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 544
ZyWALL 2 Plus User’s Guide Appendix E Common Services...
ZyWALL 2 Plus User’s Guide P P E N D I X VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes •...
ZyWALL 2 Plus User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
ZyWALL 2 Plus User’s Guide Figure 355 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. Appendix F VPN Setup...
ZyWALL 2 Plus User’s Guide Figure 356 Headquarters VPN Rule Figure 357 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. Appendix F VPN Setup...
ZyWALL 2 Plus User’s Guide Figure 358 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets. Appendix F VPN Setup...
ZyWALL 2 Plus User’s Guide Figure 359 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
ZyWALL 2 Plus User’s Guide Figure 360 VPN Rule Configured The following screen displays. Figure 361 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 362 VPN Tunnel Established Appendix F VPN Setup...
ZyWALL 2 Plus User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem.
ZyWALL 2 Plus User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 556
ZyWALL 2 Plus User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
ZyWALL 2 Plus User’s Guide P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
ZyWALL 2 Plus User’s Guide Figure 366 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 367 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix G Importing Certificates...
ZyWALL 2 Plus User’s Guide Figure 368 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 369 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix G Importing Certificates...
ZyWALL 2 Plus User’s Guide Figure 370 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 371 Root Certificate Store Appendix G Importing Certificates...
ZyWALL 2 Plus User’s Guide Figure 372 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
ZyWALL 2 Plus User’s Guide Figure 373 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
ZyWALL 2 Plus User’s Guide Figure 374 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
ZyWALL 2 Plus User’s Guide Figure 375 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 376 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
ZyWALL 2 Plus User’s Guide Figure 377 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 378 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
ZyWALL 2 Plus User’s Guide Figure 379 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 380 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 383 ZyWALL Secure Login Screen Appendix G Importing Certificates...
Page 568
ZyWALL 2 Plus User’s Guide Appendix G Importing Certificates...
ZyWALL 2 Plus User’s Guide P P E N D I X Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 570
ZyWALL 2 Plus User’s Guide Appendix H Command Interpreter...
ZyWALL 2 Plus User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. See Appendix H on page 569 for information on the command structure. Table 214 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up This command turns the firewall on or off.
Page 572
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 573
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 574
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set ZyWALL creates logs for packets that match #>...
Page 575
ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 576
ZyWALL 2 Plus User’s Guide Appendix I Firewall Commands...
ZyWALL 2 Plus User’s Guide P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix H on page 569 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
ZyWALL 2 Plus User’s Guide The filter types and their default settings are as follows. Table 215 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward connection are blocked or forwarded.
ZyWALL 2 Plus User’s Guide P P E N D I X Certificates Commands The following describes the certificate commands. See Appendix H on page 569 information on the command structure. All of these commands start with certificates. Table 216 Certificates Commands COMMAND DESCRIPTION my_cert...
Page 580
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 581
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. ca_trusted Import the PEM-encoded certificate from stdin.
Page 582
ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
ZyWALL 2 Plus User’s Guide P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 584
ZyWALL 2 Plus User’s Guide Appendix L Brute-Force Password Guessing Protection...
ZyWALL 2 Plus User’s Guide P P E N D I X Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
ZyWALL 2 Plus User’s Guide Figure 385 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show...
ZyWALL 2 Plus User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 218 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
ZyWALL 2 Plus User’s Guide Table 218 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router is saving configuration changes. Configuration Change: PC = 0x%x, Task ID = 0x%x Someone has logged on to the router’s SSH server. Successful SSH login Someone has failed to log on to the router’s SSH server.
ZyWALL 2 Plus User’s Guide Table 219 System Error Logs (continued) LOG MESSAGE DESCRIPTION The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the DHCP Server cannot assign specified static DHCP IP addresses are no longer valid. the static IP %S (out of range).
ZyWALL 2 Plus User’s Guide Table 221 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a TCP connection state Peer TCP state out of was out of order.Note: The firewall refers to RFC793 Figure 6 to order, sent TCP RST check the TCP state.
ZyWALL 2 Plus User’s Guide Table 223 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry. blocked: ICMP The firewall does not support this kind of ICMP packets or Unsupported/out-of-order ICMP: the ICMP packets are out of order.
ZyWALL 2 Plus User’s Guide Table 227 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined keyword. %s: Keyword blocking The web site is not in a trusted domain, and the router blocks all traffic %s: Not in trusted web except trusted domain sites.
Page 593
ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land land [ TCP | UDP | IGMP | attack. ESP | GRE | OSPF ] The firewall detected an ICMP land attack. land ICMP (type:%d, code:%d) The firewall detected an IP spoofing attack on the WAN port.
ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION The IP address in an FTP port command is different from the client IP address in FTP port IP address. It may be a bounce attack. command is different from the client IP address.
ZyWALL 2 Plus User’s Guide Table 230 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time out, inbound traffic for a certain time period. You can use the "ipsec timer disconnect chk_conn"...
Page 596
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router couldn’t resolve the IP address from the domain Cannot resolve Secure Gateway name that was used for the secure gateway address. Addr for rule <%d> The displayed ID information did not match between the two Peer ID: <peer id>...
Page 597
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router was not able to use extended authentication to XAUTH fail! Username: authenticate the listed user name. <Username> The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer.
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES Rule [%d] Phase 2 key length encryption algorithm) did not match between the router and mismatch...
ZyWALL 2 Plus User’s Guide Table 232 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received a corrupted user certificate from the LDAP server Failed to decode the whose address and port are recorded in the Source field. received user cert The router received a corrupted CRL (Certificate Revocation List) from Failed to decode the the LDAP server whose address and port are recorded in the Source...
ZyWALL 2 Plus User’s Guide Table 233 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout.
ZyWALL 2 Plus User’s Guide Table 234 802.1X Logs (continued) LOG MESSAGE DESCRIPTION The local user database is operating as the Use Local User Database to authentication server. authenticate user. Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server.
Page 602
ZyWALL 2 Plus User’s Guide Table 236 ICMP Notes (continued) TYPE CODE DESCRIPTION Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
ZyWALL 2 Plus User’s Guide Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
ZyWALL 2 Plus User’s Guide Table 238 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID Log Commands This section provides some general examples of how to use the log commands. The items that display with your device may vary but the basic function should be the same.
ZyWALL 2 Plus User’s Guide Figure 387 Displaying Log Parameters Example ras> sys logs category access Usage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/ 1:show debug type] 4 Use followed by a log category and a parameter to decide what to sys logs category record.
Page 606
ZyWALL 2 Plus User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
ZyWALL 2 Plus User’s Guide Index Numerics 10/100 Mbps Ethernet WAN Backup 364, 468 Backup VPN Connection Backup WAN Bandwidth Borrowing Bandwidth Class Bandwidth Filter 269, 280 Action for Matched Packets Bandwidth Management 46, 269 Active 386, 388, 404 Bandwidth Management Statistics Active Protocol Bandwidth Manager Class Configuration Bandwidth Manager Class Setup...
Page 608
ZyWALL 2 Plus User’s Guide Connection ID/Name Console Port 457, 458, 459 Configuration File Upload Edit IP 387, 405 File Backup Enable Wildcard File Upload Restoring Files Encapsulating Security Payload. See ESP. Contact Information Encapsulation 400, 404, 408 and Active Protocol Content Filter Categories and NAT Content Filter General...
Page 609
ZyWALL 2 Plus User’s Guide SMT Menus Client Mode (Extended Authentication) When To Use Content Diffie-Hellman Key Group Firewall Threshold Encryption Algorithms Firmware File Extended Authentication Maintenance ID Type Flow Control IP Address, Remote IPSec Router 294, 297, 312, 469, 493 IP Address, ZyXEL Device File Upload Local Identity...
Page 610
ZyWALL 2 Plus User’s Guide IPSec High Availability Many to One IPSec SA Max Age Active Protocol 185, 187 Maximize Bandwidth Usage 271, 276 and NetBIOS Maximum Incomplete High Authentication Algorithms Maximum Incomplete Low Authentication Key (for manual keys) Metric 109, 267, 389, 407, 410, 414 Encapsulation 185, 189...
Page 611
ZyWALL 2 Plus User’s Guide Offline RADIUS 48, 243 and IKE SA One Minute High Shared Secret Key One Minute Low RADIUS Message Types One to One RADIUS Messages Outgoing Protocol Filters Rapid STP Outside Real time Transport Protocol Redundant VPN Connection Registration Product Related Documentation...
Page 612
ZyWALL 2 Plus User’s Guide Safety Warnings System Name 352, 375 Schedule Sets System Statistics Duration System Status Scheduler 271, 276 System Timeout Schedules 405, 407, 408 Screws Secure FTP Using SSH Example Secure Telnet Using SSH Example Server 253, 355, 356, 400, 405, 417, 419, 421, 422, 424, 426, 427, 489 TCP Maximum Incomplete Server IP...
Page 613
ZyWALL 2 Plus User’s Guide ZyNOS F/W Version 458, 468 Virtual Private Network Virtual Private Network. See VPN. 119, 179 Active Protocol and NAT and Remote Management Established in Two Phases IKE SA. See IKE SA. IPSec IPSec SA. See IPSec SA. Local Network Manual Keys Proposal...