ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3
ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
ZyWALL 10~100 Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.
ZyWALL 10~100 Series Internet Security Gateway Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Diagrams............................ix List of Charts ...............................x Preface ................................xii General Information ............................I Chapter 1 Setting up Your Computer’s IP Address ................
Page 8
ZyWALL 10~100 Series Internet Security Gateway Index ................................A viii Table of Contents...
ZyWALL 10~100 Series Internet Security Gateway List of Diagrams Diagram B-1 Ideal Setup..........................2-1 Diagram B-2 “Triangle Route” Problem......................2-2 Diagram B-3 IP Alias ............................. 2-2 Diagram B-4 Gateways on the WAN Side ..................... 2-3 Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT ..............3-1 Diagram D-1 Peer-to-Peer Communication in an Ad-hoc Network...............
ZyWALL 10~100 Series Internet Security Gateway List of Charts Chart H-1 Classes of IP Addresses .........................8-1 Chart H-2 Allowed IP Address Range By Class .....................8-2 Chart H-3 “Natural” Masks ..........................8-2 Chart H-4 Alternative Subnet Mask Notation....................8-3 Chart H-5 Subnet 1 ............................8-4 Chart H-6 Subnet 2 ............................8-4...
Page 11
ZyWALL 10~100 Series Internet Security Gateway Chart Q-11 Sample IPSec Logs During Packet Transmission ..............13-15 Chart Q-12 RFC-2408 ISAKMP Payload Types..................13-16 Chart Q-13 Log Categories and Available Settings..................13-17 Chart R-1 Brute-Force Password Guessing Protection Commands ............. 14-1...
This manual may refer to the ZyWALL 10/10W/50/100 Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10, 10W, 50 and 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 of the Web Configurator User’s Guide to see what features are specific to your ZyWALL...
ZyWALL 10~100 Series Internet Security Gateway Syntax Conventions • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font.
General Information Part I: General Information This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting.
ZyWALL 10~100 Series Internet Security Gateway Chapter 1 Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 18
ZyWALL 10~100 Series Internet Security Gateway The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add.
Page 19
ZyWALL 10~100 Series Internet Security Gateway Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 20
ZyWALL 10~100 Series Internet Security Gateway Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add.
Page 21
ZyWALL 10~100 Series Internet Security Gateway For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections.
Page 22
ZyWALL 10~100 Series Internet Security Gateway Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 23
ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 24
ZyWALL 10~100 Series Internet Security Gateway In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es),...
Page 25
ZyWALL 10~100 Series Internet Security Gateway Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list.
ZyWALL 10~100 Series Internet Security Gateway For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box.
Page 27
ZyWALL 10~100 Series Internet Security Gateway Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list.
ZyWALL 10~100 Series Internet Security Gateway Chapter 2 Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 30
ZyWALL 10~100 Series Internet Security Gateway Diagram 2-2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
Page 31
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
ZyWALL 10~100 Series Internet Security Gateway Chapter 3 The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
ZyWALL 10~100 Series Internet Security Gateway Chapter 4 Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 36
ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
ZyWALL 10~100 Series Internet Security Gateway Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Page 38
ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram 4-2 ESS Provides Campus-Wide Coverage The Big Picture...
ZyWALL 10~100 Series Internet Security Gateway Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 40
ZyWALL 10~100 Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
ZyWALL 10~100 Series Internet Security Gateway Chapter 6 PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ZyWALL 10~100 Series Internet Security Gateway Chapter 7 PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband...
Page 44
ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 45
ZyWALL 10~100 Series Internet Security Gateway Diagram 7-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 47
ZyWALL 10~100 Series Internet Security Gateway Chapter 8 IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
ZyWALL 10~100 Series Internet Security Gateway A class “B” address (16 host bits) can have 2 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 49
ZyWALL 10~100 Series Internet Security Gateway With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 50
ZyWALL 10~100 Series Internet Security Gateway The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
Page 51
ZyWALL 10~100 Series Internet Security Gateway 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
ZyWALL 10~100 Series Internet Security Gateway Chart 8-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks.
Page 54
ZyWALL 10~100 Series Internet Security Gateway Chart 8-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254...
Command and Log Information Part II: Command and Log Information This part provides information on the command interpreter interface, firewall and NetBIOS commands and logs and password protection.
ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active <yes | This command turns the firewall on or off.
Page 60
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. config edit firewall e-mail mail- This command sets the IP address to which the e- server <ip address of mail server>...
Page 61
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack send- This command enables or disables the immediate alert <yes | no> sending of DOS attack notification e-mail messages. config edit firewall attack block...
Page 62
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a name to identify a specified name <desired name> set. Config edit firewall set <set #> This command sets whether a packet is dropped or default-permit <forward | block>...
Page 63
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets whether a rule is enabled or rule <rule #> active <yes | no> not. Config edit firewall set <set #>...
Page 64
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a rule to have the ZyWALL rule <rule #> destaddr-range <start check for traffic going to this range of addresses.
Page 65
ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-7...
ZyWALL 10~100 Series Internet Security Gateway This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== LAN to WAN: Forward WAN to LAN: Forward IPSec Packets:...
ZyWALL 10~100 Series Internet Security Gateway Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the DMZ. DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the DMZ to the LAN.
Page 68
ZyWALL 10~100 Series Internet Security Gateway <on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
ZyWALL 10~100 Series Internet Security Gateway Chapter 12 Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 70
ZyWALL 10~100 Series Internet Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 72
ZyWALL 10~100 Series Internet Security Gateway Chart 13-2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Someone has logged on to the router via ftp. Successfully FTP Login Fail Someone has failed to log on to the router via ftp.
Page 73
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack.
Page 74
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack.
Page 75
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s policy: TCP (set:%d) configuration.
Page 76
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. IGMP (set:%d, rule:%d) Firewall rule match: ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration.
Page 77
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT OSPF access did not match the listed firewall rule and the ZyWALL logged it. match: OSPF (set:%d, rule:%d) Firewall rule NOT Access did not match the listed firewall rule and the ZyWALL logged...
Page 78
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP ICMP access matched the listed filter rule and the ZyWALL dropped the packet to block access. <set %d/rule %d> Filter match DROP Access matched the listed filter rule and the ZyWALL dropped the packet to block access.
Page 79
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP The firewall sent out TCP reset packets. reset packets Packet without a NAT The router blocked a packet that did not have a corresponding NAT table entry.
Page 80
ZyWALL 10~100 Series Internet Security Gateway Chart 13-7 ACL Setting Notes ACL SET DIRECTION DESCRIPTION NUMBER DMZ to ACL set 9 for packets traveling from the DMZ to the DM or the DMZ/ZyWALL ZyWALL. Chart 13-8 ICMP Notes TYPE CODE...
Page 81
ZyWALL 10~100 Series Internet Security Gateway Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message...
ZyWALL 10~100 Series Internet Security Gateway Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE> 01 Jan 08:02:26 Send:<ID><HASH> 01 Jan 08:02:26 Recv:<ID><HASH>...
Page 83
ZyWALL 10~100 Series Internet Security Gateway The following table shows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer.
Page 84
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP <IP start> / <IP end> If the security gateway is “0.0.0.0”, the ZyWALL will conflicts use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr”...
Page 85
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router.
Page 86
ZyWALL 10~100 Series Internet Security Gateway The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association...
ZyWALL 10~100 Series Internet Security Gateway Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
ZyWALL 10~100 Series Internet Security Gateway Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results.
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure.
Page 91
Command and Log Information Part II: Command and Log Information This part provides information on the command interpreter interface, firewall and NetBIOS commands and logs and password protection.
Page 93
ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
Page 95
ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active <yes | This command turns the firewall on or off.
Page 96
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. config edit firewall e-mail mail- This command sets the IP address to which the e- server <ip address of mail server>...
Page 97
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack send- This command enables or disables the immediate alert <yes | no> sending of DOS attack notification e-mail messages. config edit firewall attack block...
Page 98
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a name to identify a specified name <desired name> set. Config edit firewall set <set #> This command sets whether a packet is dropped or default-permit <forward | block>...
Page 99
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets whether a rule is enabled or rule <rule #> active <yes | no> not. Config edit firewall set <set #>...
Page 100
ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a rule to have the ZyWALL rule <rule #> destaddr-range <start check for traffic going to this range of addresses.
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 102
ZyWALL 10~100 Series Internet Security Gateway This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== LAN to WAN: Forward WAN to LAN: Forward IPSec Packets:...
Page 103
ZyWALL 10~100 Series Internet Security Gateway Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the DMZ. DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the DMZ to the LAN.
Page 104
ZyWALL 10~100 Series Internet Security Gateway <on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
Page 105
ZyWALL 10~100 Series Internet Security Gateway Chapter 12 Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 106
ZyWALL 10~100 Series Internet Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
Page 107
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 108
ZyWALL 10~100 Series Internet Security Gateway Chart 13-2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Someone has logged on to the router via ftp. Successfully FTP Login Fail Someone has failed to log on to the router via ftp.
Page 109
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack.
Page 110
ZyWALL 10~100 Series Internet Security Gateway Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack.
Page 111
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s policy: TCP (set:%d) configuration.
Page 112
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. IGMP (set:%d, rule:%d) Firewall rule match: ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration.
Page 113
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT OSPF access did not match the listed firewall rule and the ZyWALL logged it. match: OSPF (set:%d, rule:%d) Firewall rule NOT Access did not match the listed firewall rule and the ZyWALL logged...
Page 114
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP ICMP access matched the listed filter rule and the ZyWALL dropped the packet to block access. <set %d/rule %d> Filter match DROP Access matched the listed filter rule and the ZyWALL dropped the packet to block access.
Page 115
ZyWALL 10~100 Series Internet Security Gateway Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP The firewall sent out TCP reset packets. reset packets Packet without a NAT The router blocked a packet that did not have a corresponding NAT table entry.
Page 116
ZyWALL 10~100 Series Internet Security Gateway Chart 13-7 ACL Setting Notes ACL SET DIRECTION DESCRIPTION NUMBER DMZ to ACL set 9 for packets traveling from the DMZ to the DM or the DMZ/ZyWALL ZyWALL. Chart 13-8 ICMP Notes TYPE CODE...
Page 117
ZyWALL 10~100 Series Internet Security Gateway Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message...
Page 118
ZyWALL 10~100 Series Internet Security Gateway Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE> 01 Jan 08:02:26 Send:<ID><HASH> 01 Jan 08:02:26 Recv:<ID><HASH>...
Page 119
ZyWALL 10~100 Series Internet Security Gateway The following table shows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer.
Page 120
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP <IP start> / <IP end> If the security gateway is “0.0.0.0”, the ZyWALL will conflicts use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr”...
Page 121
ZyWALL 10~100 Series Internet Security Gateway Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router.
Page 122
ZyWALL 10~100 Series Internet Security Gateway The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association...
Page 123
ZyWALL 10~100 Series Internet Security Gateway Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
Page 124
ZyWALL 10~100 Series Internet Security Gateway Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results.
Page 125
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure.
Page 127
Index Part III: Index This part provides an Index of key terms.
Page 129
ZyWALL 10~100 Series Internet Security Gateway Index DSSS..See Direct Sequence Spread Spectrum Ad-hoc Configuration ........4-2 Alternative Subnet Mask Notation....8-3 e.g........See Syntax Conventions Encapsulation Basic Service Set..........4-2 PPP over Ethernet ........6-1 Big Picture ............3-1 Enter .......
Page 130
ZyWALL 10~100 Series Internet Security Gateway Infrastructure Configuration ......4-3 IP Addressing ..........8-1 Select ......See Syntax Conventions IP Classes............8-1 Service..............v Subnet Masks ...........8-2 Log Descriptions..........13-1 Subnetting............8-2 Support Disk............xii Network Topology With RADIUS Server Syntax Conventions..........xiii Example ............