Page 1 ZyWALL 10 Internet Security Gateway User’s Guide Version 3.20 November 2000...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 ZyWALL 10 Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4 ZyWALL 10 Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
Page 5: Declaration Of Conformity
ZyWALL 10 Internet Security Gateway Declaration of Conformity We, the Manufacturer/Importer, ZyXEL Communications Corp. No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, Taiwan, 300 R.O.C declare that the product ZyWALL 10 is in conformity with (reference to the specification under which conformity is declared)
Page 6 ZyWALL 10 Internet Security Gateway CE Doc...
Page 7: Zyxel Limited Warranty
ZyWALL 10 Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
Page 8: Customer Support
ZyWALL 10 Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: ♦ Prestige Model and serial number. ♦ Information in Menu 24.2.1 –System Information. ♦ Warranty Information. ♦ Date you received your Prestige.
Page 9: Table Of Contents
List of Tables ............................xxiii Preface ..............................xxvii Getting Started ..............................I Chapter 1 Getting to Know Your ZyWALL....................1-1 The ZyWALL 10 Internet Security Gateway ................1-1 Features of The ZyWALL 10 ..................... 1-1 Applications for ZyWALL 10 ....................1-3 1.3.1 Broadband Internet Access via Cable or xDSL Modem.............
Page 10 ZyWALL 10 Internet Security Gateway TCP/IP and DHCP for LAN .......................3-1 3.1.1 Factory LAN Defaults......................3-1 3.1.2 IP Address and Subnet Mask ....................3-1 3.1.3 Private IP Addresses ......................3-2 3.1.4 RIP Setup ..........................3-2 3.1.5 DHCP Configuration......................3-3 3.1.6 IP Multicast .........................3-3 3.1.7 IP Alias..........................3-4 TCP/IP and DHCP Ethernet Setup....................3-4...
Page 11 ZyWALL 10 Internet Security Gateway 6.1.6 NAT Application ........................ 6-4 SMT Menus..........................6-5 6.2.1 Applying NAT in the SMT Menus..................6-5 6.2.2 Configuring NAT ....................... 6-6 6.2.3 Address Mapping Sets and NAT Server Sets: ..............6-7 NAT Server Sets........................6-12 6.3.1...
Page 12 ZyWALL 10 Internet Security Gateway System Information and Console Port Speed................9-4 9.2.1 System Information ......................9-4 9.2.2 Console Port Speed ......................9-5 Log and Trace ..........................9-5 9.3.1 Viewing Error Log ......................9-6 9.3.2 UNIX Syslog........................9-6 9.3.3 Call-Triggering Packet ......................9-10 Diagnostic ..........................9-10 9.4.1 WAN DHCP ........................9-11 Chapter 10 Transferring Files ........................10-1...
Page 13 ZyWALL 10 Internet Security Gateway 12.3 Telnet Capabilities........................12-1 12.3.1 Single Administrator ......................12-1 12.3.2 System Timeout........................ 12-2 12.4 Telnet Under the Firewall......................12-2 Firewall and Content Filters......................... IV Chapter 13 What is a Firewall?........................ 13-1 13.1 Types of Firewalls ........................13-1 13.1.1...
Page 14 ZyWALL 10 Internet Security Gateway 15.3.1 What are Alerts?........................15-3 15.3.2 What are Logs? .........................15-4 15.3.3 SMTP Error Messages ......................15-6 15.3.4 Example E-Mail Log......................15-6 15.4 Attack Alert..........................15-7 15.4.1 Threshold Values: ......................15-8 15.4.2 Half-Open Sessions ......................15-8 Chapter 16 Creating Custom Rules ......................16-1 16.1...
Page 15 ZyWALL 10 Internet Security Gateway 20.1 Restrict Web Features....................... 20-1 20.1.1 ActiveX ..........................20-1 20.1.2 Java........................... 20-1 20.1.3 Cookies..........................20-2 20.1.4 Web Proxy........................20-2 20.2 Blocking URLs......................... 20-2 20.3 Content Filtering Using the Web Configurator ................ 20-2 Troubleshooting, Appendices, Glossary and Index ..................V Chapter 21 Troubleshooting........................
Page 16: List Of Figures
Figure 1-1 Secure Internet Access via Cable ....................1-3 Figure 1-2 Secure Internet Access via DSL....................1-4 Figure 2-1 Front Panel ............................2-1 Figure 2-2 ZyWALL 10 Rear Panel and Connections ..................2-2 Figure 2-3 Initial Screen ..........................2-4 Figure 2-4 Password Screen..........................2-4 Figure 2-5 ZyWALL 10 Main Menu ......................2-6 Figure 2-6 Menu 23 - System Security ......................2-7...
Page 17 ZyWALL 10 Internet Security Gateway Figure 4-5 Remote Node Network Layer Options ..................4-8 Figure 4-6 Remote Node Filter (Ethernet Encapsulation)................4-10 Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation)..............4-10 Figure 5-1 Example of Static Routing Topology ................... 5-1 Figure 5-2 Menu 12 - IP Static Route Setup ....................
Page 18 ZyWALL 10 Internet Security Gateway Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule..............6-21 Figure 6-23 Example 4 - Menu 15.1.1 - Address Mapping Rules ..............6-21 Figure 7-1 Outgoing Packet Filtering Process ....................7-1 Figure 7-2 Filter Rule Process ........................7-3 Figure 7-4 Menu 21 - Filter and Firewall Setup .....................7-4...
Page 19 ZyWALL 10 Internet Security Gateway Figure 9-9 Call-Triggering Packet Example ....................9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagnostic.................9-11 Figure 9-11 WAN & LAN DHCP ........................ 9-12 Figure 10-1 Menu 24.5 - System Maintenance - Backup Configuration ............. 10-2 Figure 10-2 Menu 24.6 - System Maintenance - Restore Configuration .............
Page 20 ZyWALL 10 Internet Security Gateway Figure 14-2 Menu 21 - Filter and Firewall Setup ..................14-1 Figure 14-3 Menu 21.2 - Firewall Setup.......................14-2 Figure 14-4 View Firewall Log........................14-4 Figure 14-5 Big Picture - Filtering, Firewall and NAT.................14-6 Figure 15-1 Login screen as seen in Netscape ....................15-1 Figure 15-2 ZyWALL Web Configurator Welcome Screen................15-2...
Page 21 ZyWALL 10 Internet Security Gateway Figure 19-9 Example 2 - Local Network Rule Summary................19-10 Figure 19-10 Example 2 - Internet to Local Network Rule Summary ............19-11 Figure 19-11 Custom Port for Syslog......................19-12 Figure 19-12 Syslog Rule Configuration ....................19-13 Figure 19-13 Example 3 Rule Summary....................
Page 23: List Of Tables
ZyWALL 10 Internet Security Gateway List of Tables Table 2-1 LED functions ..........................2-1 Table 2-2 Main Menu Commands........................2-5 Table 2-3 Main Menu Summary........................2-6 Table 2-4 General Setup Menu Field......................2-9 Table 2-5 Configure Dynamic DNS Menu Fields ..................2-10 Table 2-6 WAN Setup Menu Fields......................
Page 24 ZyWALL 10 Internet Security Gateway Table 7-2 Abbreviations Used If Filter Type Is IP ..................7-7 Table 7-3 Abbreviations Used If Filter Type Is GEN..................7-7 Table 7-4 TCP/IP Filter Rule Menu Fields .....................7-8 Table 7-5 Generic Filter Rule Menu Fields....................7-13 Table 8-1 SNMP Configuration Menu Fields ....................8-2 Table 9-1 System Maintenance - Status Menu Fields ..................9-3...
Page 25 ZyWALL 10 Internet Security Gateway Table 16-5 Timeout Menu .......................... 16-13 Table 17-1 Custom Ports ..........................17-2 Table 17-2 Creating/Editing A Custom Port ....................17-4 Table 18-1 Log Screen ..........................18-2 Table 20-1 Content Filtering Fields......................20-3 Table 21-1 Troubleshooting the Start-Up of your ZyWALL ................ 21-1 Table 21-2 Troubleshooting the LAN Interface ...................
Page 27: Preface
Note: You can configure all features of the ZyWALL 10 via SMT but we recommend you configure the firewall using the ZyWALL Web Configurator. About This User's Manual This manual is designed to guide you through the SMT configuration of your ZyWALL 10 for its various applications. Structure of this Manual This manual is structured as follows: Part I.
Page 28: Related Documentation
ZyWALL 10 Internet Security Gateway Regardless of your particular application, it is important that you follow the steps outlined in Chapters 1-2 to connect your ZyWALL to your LAN. You can then refer to the appropriate chapters of the manual, depending on your applications.
Page 29: Getting Started
Getting Started Part I: Getting Started Chapters 1- 3 are structured as a step-by-step guide to help you connect, install and setup your ZyWALL to operate on your network and access the Internet.
Page 31: Chapter 1 Getting To Know Your Zywall
This chapter introduces the main features and applications of the ZyWALL. The ZyWALL 10 Internet Security Gateway The ZyWALL 10 is a dual Ethernet Internet Security Gateway integrated with a robust firewall and network management features designed for home offices and small businesses to access the Internet via Cable/ADSL modem or Internet router.
Page 32 ZyWALL 10 Internet Security Gateway Dynamic DNS Support With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS client to use this service.
Page 33: Applications For Zywall 10
1.3.1 Broadband Internet Access via Cable or xDSL Modem A cable modem or xDSL modem can connect to the ZyWALL 10 for broadband Internet access via Ethernet port on the modem. It provides not only the high speed Internet access but secured internal network protection and management as well.
Page 34: Figure 1-2 Secure Internet Access Via Dsl
ZyWALL 10 Internet Security Gateway Figure 1-2 Secure Internet Access via DSL You can also use your xDSL modem in the bridge mode for always-on Internet access and high speed data transfer. Getting to Know Your ZyWALL...
Page 35: Chapter 2 Hardware Installation & Initial Setup
ZyWALL 10 Internet Security Gateway Chapter 2 Hardware Installation & Initial Setup This chapter shows you how to connect the hardware and perform the initial setup. Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL.
Page 36: Zywall 10 Rear Panel And Connections
Figure 2-2 ZyWALL 10 Rear Panel and Connections This section outlines how to connect your ZyWALL 10 to the LAN and the WAN. In the case of connecting a Cable Modem you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
Page 37: Additional Installation Requirements
ZyWALL 10 Internet Security Gateway Step 1. Connecting the Console Port For the initial configuration of your ZyWALL, you need to use terminal emulator software on a workstation and connect it to the ZyWALL through the console port. Connect the 9-pin end of the console cable to the console port of the ZyWALL and the other end (choice of 9-pin or 25-pin, depending on your computer) end to a serial port (COM1, COM2 or other COM port) of your workstation.
Page 38: Power Up Your Zywall
Enter After the tests, the ZyWALL asks you to press [ ] to continue, as shown. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 39: Navigating The Smt Interface
Type 99 at the Main Menu prompt and press [ENTER] to exit the Exit the SMT press [ENTER]. SMT interface. 2.5.1 Main Menu After you enter the password, the SMT displays the ZyWALL 10 Main Menu, as shown below. Hardware Installation & Initial Setup...
Page 40: System Management Terminal Interface Summary
ZyWALL 10 Internet Security Gateway Copyright (c) 1994 - 2000 ZyXEL Communications Corp. ZyWALL 10 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Password 4.
Page 41: Changing The System Password
ZyWALL 10 Internet Security Gateway Changing the System Password The first thing your should do before anything else is to change the default system password by following the steps below. Step 1. Enter 23 in the Main Menu to open Menu 23 - System Password as shown below.
Page 42: Dynamic Dns
ZyWALL 10 Internet Security Gateway propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual machine, the domain name can be assigned from the ZyWALL via DHCP.
Page 43: Configuring Dynamic Dns
ZyWALL 10 Internet Security Gateway Table 2-4 General Setup Menu Field Field Description Example System Name Choose a descriptive name for identification purposes. It is ZyWALL 10 recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long.
Page 44: Wan Setup
ZyWALL 10 Internet Security Gateway Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example Service Enter the name of your Dynamic DNS client. www.ddns.org Provider Active Press [SPACE BAR] to toggle between Yes or No. me.ddns.org Host Enter the domain name assigned to your ZyWALL by your Dynamic DNS provider.
Page 45: Lan Setup
ZyWALL 10 Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By=IP address attached on LAN IP Address= 192.168.1.12 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle Figure 2-9 Menu 2 - WAN Setup The MAC address field allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a workstation on your LAN.
Page 46: Lan Port Filter Setup
ZyWALL 10 Internet Security Gateway Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 2-10 Menu 3 - LAN Setup 2.9.1 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
Page 47: Chapter 3 Internet Access
ZyWALL 10 Internet Security Gateway Chapter 3 Internet Access This chapter shows you how to configure the LAN as well as the WAN of your ZyWALL for Internet access. TCP/IP and DHCP for LAN The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 48: Private Ip Addresses
ZyWALL 10 Internet Security Gateway The subnet mask specifies the network number portion of an IP address. Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise.
Page 49: Dhcp Configuration
ZyWALL 10 Internet Security Gateway 3.1.5 DHCP Configuration DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows the individual clients (workstations) to obtain the TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients.
Page 50: Ip Alias
ZyWALL 10 Internet Security Gateway The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 51: Figure 3-3 Menu 3 - Lan Setup (10/100 Mbps Ethernet)
ZyWALL 10 Internet Security Gateway Menu 3 – LAN Setup LAN Port Filter Setup TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 3-3 Menu 3 - LAN Setup (10/100 Mbps Ethernet) To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP/IP and DHCP Ethernet Setup as shown next.
Page 52: Table 3-1 Lan Dhcp Setup Menu Fields
ZyWALL 10 Internet Security Gateway Follow the instructions in the following table on how to configure the DHCP fields. Table 3-1 LAN DHCP Setup Menu Fields Field Description Example This field enables/disables the DHCP server. If it is set to Server,...
Page 53: Ip Alias Setup
ZyWALL 10 Internet Security Gateway Field Description Example Edit IP Alias The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway No (default) for each LAN network. Press the space bar to toggle No to Yes, then press [ENTER] to bring you to menu 3.2.1...
Page 54: Internet Access Setup
ZyWALL 10 Internet Security Gateway Press the space bar to select the RIP direction from None, Both/In None RIP Direction Only/Out Only. Version Press the space bar to select the RIP version from RIP-1/RIP- RIP-1 2B/RIP-2M. Incoming Enter the filter set(s) you wish to apply to the incoming traffic Protocol Filters between this node and the ZyWALL.
Page 55: Pptp Encapsulation
Virtual Private Network (VPN) using TCP/IP-based networks PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL 10 supports only one PPTP server connection at any given time. Internet Access...
Page 56: Configuring The Pptp Client
ZyWALL 10 Internet Security Gateway 3.3.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring the User Name and Password for PPP connection, press [SPACE BAR] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
Page 57: Figure 3-8 Internet Access Setup (Pppoe)
By implementing PPPoE directly on the ZyWALL 10 rather than individual PC’s, the machines on the LAN do not need PPPoE software installed, since the 312 does that part of the task. Further, with NAT, all of the LAN’s machines will have access.
Page 58: Basic Setup Complete
ZyWALL 10 Internet Security Gateway Table 3-6 New Fields in Menu 4 (PPPoE) screen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE. PPPoE The encapsulation method influences your choices for IP Address. Service Name Enter the PPPoE service name provided to you.
Page 59: Advanced Applications
Advanced Applications Part II: Advanced Applications Advanced Applications (Chapters 4 - 6) describes the advanced applications of your ZyWALL. Applications discussed include Remote Node Setup, IP Static routes and NAT.
Page 60: Chapter 4 Remote Node Setup
ZyWALL 10 Internet Security Gateway Chapter 4 Remote Node Setup This chapter shows you how to configure a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use Menu 4 to set up Internet access, you are actually configuring a remote node.
Page 61 IP address here. Route This field refers to the protocol that will be routed by your ZyWALL – IP only for the ZyWALL 10. Edit IP This field leads to a “hidden” menu. Press the [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3 - Remote Node Network Layer Options.
Page 62: Pppoe Encapsulation
ZyWALL 10 Internet Security Gateway 4.1.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with an xDSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 63: Pptp Encapsulation
ZyWALL 10 Internet Security Gateway Table 4-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) Field Description Examples Authen This field sets the authentication protocol used for CHAP/PAP outgoing calls. Options for this field are: CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this remote node.
Page 64: Figure 4-3 Remote Node Profile For Pptp Encapsulation
ZyWALL 10 Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules=...
Page 65: Editing Tcp/Ip Options (With Ethernet Encapsulation)
ZyWALL 10 Internet Security Gateway Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in Menu 11.1, then press the [SPACE BAR] to toggle and set the value to Yes. Press [Enter] to open Menu 11.3 - Network Layer Options.
Page 66: Editing Tcp/Ip Options (With Pptp Encapsulation)
ZyWALL 10 Internet Security Gateway Field Description Example between 1 and 15. In practice, 2 or 3 is usually a good number. Private This field is valid only for PPTP/ PPPoE encapsulation. This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts.
Page 67: Figure 4-5 Remote Node Network Layer Options
ZyWALL 10 Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Address= N/A Rem Subnet Mask= N/A My WAN Addr= 0.0.0.0 Network Address Translation= Full Feature Metric= 1 Private= No RIP Direction= None...
Page 68: Editing Tcp/Ip Options (With Pppoe Encapsulation)
ZyWALL 10 Internet Security Gateway between 1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the ZyWALL will include the route to this Yes/No remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 69: Figure 4-6 Remote Node Filter (Ethernet Encapsulation)
ZyWALL 10 Internet Security Gateway Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter...
Page 70: Chapter 5 Ip Static Route Setup
ZyWALL 10 Internet Security Gateway Chapter 5 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.
Page 71: Figure 5-2 Menu 12 - Ip Static Route Setup
ZyWALL 10 Internet Security Gateway IP Static Route Setup You configure IP static routes in Menu 12. 1, by selecting one of the IP static routes as shown below. Enter 12 from the Main Menu. Menu 12 - IP Static Route Setup 1.
Page 72: Table 5-1 Ip Static Route Menu Fields
ZyWALL 10 Internet Security Gateway Table 5-1 IP Static Route Menu Fields Field Description Route # This is the index number of the static route that you chose in Menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only.
Page 74: Chapter 6 Network Address Translation (Nat)
ZyWALL 10 Internet Security Gateway Chapter 6 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, e.g., the source address of an outgoing packet, used within one network to a different IP address...
Page 75: How Nat Works
TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyWALL 10 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following diagram illustrates this.
Page 76: Sua (Single User Account) Versus Nat
ZyWALL 10 Internet Security Gateway Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today’s routers).
Page 77: Nat Application
ZyWALL 10 Internet Security Gateway remote node basis. They are reusable, but only one set is allowed for each remote node. The ZyWALL 10 supports 2 sets since there is only one remote node. The second set (SUA Only option in Menu 15.1) is a convenient, pre-configured, read only Many-to-1 port mapping set, sufficient for most purposes (see section 6.4 for some examples) and helpful to people already familiar with SUA in previous ZyNOS versions.
Page 78: Smt Menus
ZyWALL 10 Internet Security Gateway SMT Menus 6.2.1 Applying NAT in the SMT Menus You apply NAT via menus 4 or 11.3 as displayed next. The next figure how you apply NAT for Internet access in Menu 4. Enter 4 from the Main Menu to go to Menu 4 - Internet Access Setup.
Page 79: Configuring Nat
ZyWALL 10 Internet Security Gateway The following table describes the options for Network Address Translation. Table 6-3 Applying NAT in Menus 4 & 11.3 Field Options Description Network Full Feature When you select this option the SMT will use Address Address Mapping Set 1 (Menu 15.1 –...
Page 80: Address Mapping Sets And Nat Server Sets
The NAT Server set is a list of LAN side servers mapped to external ports. To use this set (one set for the ZyWALL 10), a server rule must be set up inside the NAT Address Mapping set. Please see section 6.3 for further information on these menus.
Page 81: Figure 6-7 Sua Address Mapping Rules
ZyWALL 10 Internet Security Gateway Let’s look first at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers (see section 6.1.5). The fields in this menu cannot be changed. Entering 255 brings up this screen. Menu 15.1.255 - Address Mapping Rules...
Page 82: Table 6-4 Sua Address Mapping Rules
ZyWALL 10 Internet Security Gateway Table 6-4 SUA Address Mapping Rules Field Description Options/Example Set Name This is the name of the set you selected in Menu 15.1 or enter the name of a new set you want to create.
Page 83: Figure 6-8 First Set In Menu 15.1.1
Ordering Your Rules Ordering your rules is important because the ZyWALL 10 applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL 10 takes the corresponding action and the remaining rules are ignored.
Page 84: Figure 6-9 Editing An Individual Rule In A Set
ZyWALL 10 Internet Security Gateway Save Set selected. The rules after the selected rule will then be moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action, the Select Rule item will be disabled).
Page 85: Nat Server Sets
ZyWALL 10 Internet Security Gateway Field Description Option/Example machine. See section 6.4.3 below for some Overload examples. and Server Local IP Only local IP fields are N/A for server; Global IP fields MUST be set for Server. Start This is the starting local IP address (ILA).
Page 86: Configuring A Server Behind Nat
ZyWALL 10 Internet Security Gateway Figure 6-10 Multiple Servers Behind NAT 6.3.2 Configuring a Server behind NAT Follow the steps below to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup.
Page 87: Examples
ZyWALL 10 Internet Security Gateway Menu 15.2 - NAT Server Setup Port # Address ---- --------------- 0.0.0.0 Default 2.21 192.168.1.33 3.23 192.168.1.34 4.25 192.168.1.35 5.80 192.168.1.36 6. 0 0.0.0.0 7. 0 0.0.0.0 8. 0 0.0.0.0 9. 0 0.0.0.0 10. 0 0.0.0.0...
Page 88: Figure 6-13 Internet Access & Nat Example
ZyWALL 10 Internet Security Gateway Figure 6-12 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A...
Page 89: Example 2 - Internet Access With An Inside Server
ZyWALL 10 Internet Security Gateway 6.4.2 Example 2 – Internet Access with an Inside Server Figure 6-14 NAT Example 2 In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.
Page 90: Figure 6-16 Nat - Example 3
ZyWALL 10 Internet Security Gateway server and the other IGA is used by all. We want to map the FTP servers to the first two of our IGAs and the other LAN traffic to the remaining IGA. We also want to map out third IGA to an inside web server and mail server.
Page 91: Figure 6-17 Example 3 - Menu 11.3
ZyWALL 10 Internet Security Gateway Step 5. Select Type= as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 6-18) Step 6.
Page 92: Figure 6-19 Example 3 Final Menu 15.1.1
ZyWALL 10 Internet Security Gateway When we have configured all four rules, Menu 15.1.1 should look as follows. Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type...
Page 93: Example 4 -Nat Unfriendly Application Programs
ZyWALL 10 Internet Security Gateway 6.4.4 Example 4 –NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types.
Page 94: Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule
ZyWALL 10 Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule After you’ve configured this menu, you should see the following screen.
Page 95: Advanced Management
Advanced Management Part III: Advanced Management Chapters 7 - 12 provides information on ZyWALL Filtering, SNMP Configuration, System Information and Diagnosis, Transferring Files, System Maintenance and Telnet.
Page 97: Chapter 7 Filter Configuration
ZyWALL 10 Internet Security Gateway Chapter 7 Filter Configuration This chapter shows you how to create and apply filter(s). About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 98: The Filter Structure Of The Zywall
ZyWALL 10 Internet Security Gateway 7.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 99: Figure 7-2 Filter Rule Process
ZyWALL 10 Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check...
Page 100: Configuring A Filter Set
ZyWALL 10 Internet Security Gateway Configuring a Filter Set To configure a filter set, follow the procedure below. For more information on Menus 21.2 and 21.3, please see Part 4. Step 1. Select option 21. Filter Set Configuration from the Main Menu to open Menu 21.
Page 101: Figure 7-6 Netbios_Wan Filter Rules Summary
ZyWALL 10 Internet Security Gateway Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138...
Page 102: Filter Rules Summary Menu
ZyWALL 10 Internet Security Gateway 7.2.1 Filter Rules Summary Menu This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus. Table 7-1 Abbreviations Used in the Filter Rules Summary Menu...
Page 103: Configuring A Filter Rule
ZyWALL 10 Internet Security Gateway The protocol dependent filter rules abbreviation are listed as follows: If the filter type is IP, the following abbreviations listed in the following table will be used. Table 7-2 Abbreviations Used If Filter Type Is IP...
Page 104: Figure 7-9 Menu 21.1.1.1 - Tcp/Ip Filter Rule
ZyWALL 10 Internet Security Gateway Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 105 ZyWALL 10 Internet Security Gateway Field Description Option don’t-care if it is 0. None/Less/Greater/ Destination: Port # Select the comparison to apply to the destination port in Comp the packet against the value given in Destination: Port #. Equal/Not Equal]...
Page 106 ZyWALL 10 Internet Security Gateway Field Description Option Once you have completed filling in Menu 21.1.1.1 - TCP/IP Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary.
Page 107: Figure 7-10 Executing An Ip Filter
ZyWALL 10 Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 108: Generic Filter Rule
ZyWALL 10 Internet Security Gateway 7.2.4 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Page 109: Table 7-5 Generic Filter Rule Menu Fields
ZyWALL 10 Internet Security Gateway The following table describes the fields in the Generic Filter Rule Menu. Table 7-5 Generic Filter Rule Menu Fields Field Description Option Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set.
Page 110: Example Filter
ZyWALL 10 Internet Security Gateway Drop Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary.
Page 111: Figure 7-13 Example Filter - Menu 21.1.1.1
ZyWALL 10 Internet Security Gateway Press the [SPACEBAR] to Menu 21.1.1 - TCP/IP Filter Rule choose this filter rule type. The first filter rule type determines Filter #: 3,1 Filter Type= TCP/IP Filter Rule all subsequent filter types Active= Yes within a set.
Page 112: Filter Types And Nat
ZyWALL 10 Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F Enter Filter Rule Number (1-6) to Configure: 1...
Page 113: Firewall
ZyWALL 10 Internet Security Gateway packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the ZyWALL is receiving and sending the packets;...
Page 114: Remote Node Filters
ZyWALL 10 Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Apply Input Filter Sets: Default Filter protocol filters= 2 2 here. device filters= Output Filter Sets: Protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters...
Page 115: Chapter 8 Snmp Configuration
ZyWALL 10 Internet Security Gateway Chapter 8 SNMP Configuration This chapter discusses SNMP (Simple Network Management Protocol) for network management and monitoring. About SNMP Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. Keep in mind that SNMP is only available if TCP/IP is configured on your ZyWALL.
Page 116: Table 8-1 Snmp Configuration Menu Fields
ZyWALL 10 Internet Security Gateway The following table describes the SNMP configuration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Enter the get community, which is the password for the incoming public Community Get- and GetNext- requests from the management station.
Page 117: Chapter 9 System Information & Diagnosis
ZyWALL 10 Internet Security Gateway Chapter 9 System Information & Diagnosis This chapter talks you through SMT Menus 24.1 to 24 .4. This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail.
Page 118: System Status
ZyWALL 10 Internet Security Gateway System Status The first selection, System Status, gives you information on the version of your system firmware and the status and statistics of the ports, as shown in the figure below. System Status is a tool that can be used to monitor your ZyWALL.
Page 119: Table 9-1 System Maintenance - Status Menu Fields
ZyWALL 10 Internet Security Gateway The following table describes the fields present in Menu 24.1 - System Maintenance - Status. Table 9-1 System Maintenance - Status Menu Fields Field Description Port The WAN or LAN port. Status Shows the port speed and duplex setting if you’re using Ethernet Encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using...
Page 120: System Information And Console Port Speed
ZyWALL 10 Internet Security Gateway System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds. To get to the System Information and Console Port Speed: Step 1. Enter 24 to go to Menu 24 – System Maintenance.
Page 121: Console Port Speed
ZyWALL 10 Internet Security Gateway Table 9-2 Fields in System Maintenance Field Description Name This is the ZyWALL's system name + domain name assigned in Menu 1. E.G., System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used.
Page 122: Viewing Error Log
ZyWALL 10 Internet Security Gateway 9.3.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select option 24 from the Main Menu to open Menu 24 - System Maintenance.
Page 123: Figure 9-8 Menu 24.3.2 - System Maintenance - Unix Syslog
ZyWALL 10 Internet Security Gateway Menu 24.3.2 -- System Maintenance - UNIX Syslog and Accounting UNIX Syslog: Active= No Syslog IP Address= ? Log Facility= Local 1 Types: CDR= No Packet Triggered= No Filter log= No PPP log= No Firewall log= No Press ENTER to Confirm or ESC to Cancel: Figure 9-8 Menu 24.3.2 - System Maintenance - UNIX Syslog...
Page 124: Packet Triggered
ZyWALL 10 Internet Security Gateway 1. CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board...
Page 125: Ppp Log
ZyWALL 10 Internet Security Gateway Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:31 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 12:00:52 202.132.155.97 ZyXEL:...
Page 126: Call-Triggering Packet
ZyWALL 10 Internet Security Gateway 9.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in Menu 24.1 in hex format. An example is shown next.
Page 127: Wan Dhcp
ZyWALL 10 Internet Security Gateway Menu 24.4 - System Maintenance - Diagnostic TCP/IP Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A Figure 9-10 Menu 24.4 - System Maintenance - Diagnostic Follow the procedure below to get to Menu 24.4 - System Maintenance –...
Page 128: Figure 9-11 Wan & Lan Dhcp
ZyWALL 10 Internet Security Gateway Figure 9-11 WAN & LAN DHCP The following table describes the diagnostic tests available in Menu 24.4 for your ZyWALL and the connections. Table 9-4 System Maintenance Menu Diagnostic Number Field Description Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.
Page 129: Chapter 10 Transferring Files
ZyWALL 10 Internet Security Gateway Chapter 10 Transferring Files This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 10.1 Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup etc.
Page 130: Firmware Development
ZyWALL 10 Internet Security Gateway Table 10-1 Filename Conventions File Type Internal External Description Name Name Command Configuration Rom-0 *.rom This is the router configuration filename ATLC File on the ZyWALL. Uploading the rom-0 file replaces the entire ROM file system,...
Page 131: Restore Configuration
ZyWALL 10 Internet Security Gateway 10.3 Restore Configuration Menu 24.6 -- System Maintenance - Restore Configuration allows you to restore the configuration via the console port. FTP and TFTP are the preferred methods for restoring your current workstation configuration to your ZyWALL since FTP and TFTP are faster.
Page 132: Uploading Router Configuration File
ZyWALL 10 Internet Security Gateway Step 4. After successful firmware upload, enter atgo to restart the ZyWALL. Menu 24.7.1 - System Maintenance - Upload Router Firmware FTP and TFTP are the preferred methods for uploading router firmware to your ZyWALL since FTP and TFTP are faster.
Page 133: Tftp File Transfer
ZyWALL 10 Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload Router Configuration File FTP and TFTP are the preferred methods for uploading router firmware to your ZyWALL since FTP and TFTP are faster. To upload router configuration file: 1.
Page 134: Example Tftp Command
ZyWALL 10 Internet Security Gateway Note: If you upload the firmware to the ZyWALL, it will reboot automatically when the file transfer is completed (the SYS LED will flash). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Page 135: Ftp File Transfer
ZyWALL 10 Internet Security Gateway 10.6 FTP File Transfer In addition to uploading the firmware and configuration via the console port and TFTP client, you can also upload the ZyWALL firmware and configuration files using FTP. To use this feature, your workstation must have an FTP client.
Page 136: Using The Ftp Command From The Dos Prompt
ZyWALL 10 Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload Router Configuration File To upload the router configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 137: Figure 10-8 Ftp Session Example
ZyWALL 10 Internet Security Gateway 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put zywall.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 327680 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 139: Chapter 11 System Maintenance & Information
Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Figure 11-1 Command Mode in Menu 24 Copyright (c) 1994 - 2000 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether...
Page 140: Call Control Support
ZyWALL 10 Internet Security Gateway 11.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.1.
Page 141: Call History
ZyWALL 10 Internet Security Gateway The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 142: Time And Date Setting
ZyWALL 10 Internet Security Gateway Table 11-2 Call History Fields Field Description Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number.
Page 143: Figure 11-6 System Maintenance - Time And Date Setting
ZyWALL 10 Internet Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= None Time Server IP Address= N/A Current Time: 00 : 00 : 00 New Time (hh:mm:ss): 00 : 04 Current Date:...
Page 144: Remote Management Setup
ZyWALL 10 Internet Security Gateway zone and Greenwich mean Time (GMT). Be aware if/when daylight savings time alters this time difference for your time zone. Once you have filled in the new time and date, press [Enter] to save the setting and press [Esc] to return to Menu 24.
Page 145: Boot Commands
ZyWALL 10 Internet Security Gateway Table 11-4 Menu 24.11 - Remote Management Control Field Description Option Press the [SPACE BAR] to toggle Yes to No and press [Enter] to FTP service active disable all FTP activity (both LAN and WAN).
Page 146: Figure 11-9 Boot Module Commands
ZyWALL 10 Internet Security Gateway ======= Debug Command Listing ======= just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
Page 147: Chapter 12 Telnet Configuration And Capabilities
ZyWALL 10 Internet Security Gateway Chapter 12 Telnet Configuration and Capabilities This chapter covers the Telnet Configuration and Capabilities of the ZyWALL. 12.1 About Telnet Configuration Before the ZyWALL is properly setup for TCP/IP, the only option for configuring it is through the console port.
Page 148: System Timeout
ZyWALL 10 Internet Security Gateway 12.3.2 System Timeout There is a system timeout of 5 minutes (300 seconds) for either the console port or telnet. Your ZyWALL will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in Menu 24.1 or when "sys stdio"...
Page 149: Firewall And Content Filters
Firewall Part IV: Firewall and Content Filters Chapters 13 – 20 defines the term “Firewall”, introduces the ZyWALL Firewall and ZyWALL Web Configurator, describes how to create Custom Rules and to configure customized ports, explains Logs and provides Example Firewall Rules. Chapter 20 explains Content Filtering and how to use the ZyWALL to restrict web features such as ActiveX controls and java applets, etc.
Page 150: Chapter 13 What Is A Firewall
ZyWALL 10 Internet Security Gateway Chapter 13 What is a Firewall? This chapter gives some background information on Firewalls. Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The network term firewall is typically defined as a system or group of systems that enforces an access-control policy between two networks.
Page 151: Stateful Inspection Firewalls
ZyWALL 10 Internet Security Gateway needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest. 13.1.3 Stateful Inspection firewalls Stateful Inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol.
Page 152: Denial Of Service
ZyWALL 10 Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.3 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 153: Types Of Dos Attacks
ZyWALL 10 Internet Security Gateway Some of the most common IP ports are: Table 13-1 Common IP Ports Telnet HTTP SMTP POP3 13.3.2 Types of DoS attacks There are four types of DoS attacks: Those that exploit bugs in a TCP/IP implementation.
Page 154: Figure 13-2 Three-Way Handshake
ZyWALL 10 Internet Security Gateway Figure 13-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 155: Stateful Inspection
ZyWALL 10 Internet Security Gateway A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
Page 156: Stateful Inspection Process
ZyWALL 10 Internet Security Gateway Deny all sessions originating from the WAN (Internet) to the LAN (local network) Figure 13-5 Stateful Inspection Figure 13-5 shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Page 157: Stateful Inspection & The Zywall
ZyWALL 10 Internet Security Gateway Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created.
Page 158: Udp/Icmp Security
ZyWALL 10 Internet Security Gateway If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed through.
Page 159: Security In General
ZyWALL 10 Internet Security Gateway Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give total control of the firewall, even with access control configured.
Page 160 ZyWALL 10 Internet Security Gateway Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult passwords to crack are those with upper and lower case letters, numbers, and a symbol such as % or #.
Page 162: Chapter 14 Introducing The Zywall Firewall
14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter Set and Firewall Configuration. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. ZyWALL 10 Main Menu Getting Started Advanced Management 1.
Page 163: View Firewall Log
ZyWALL 10 Internet Security Gateway Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN...
Page 164: Table 14-1 Icmp Commands That Trigger Alerts
ZyWALL 10 Internet Security Gateway ICMP Echo A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings).
Page 165: Figure 14-4 View Firewall Log
ZyWALL 10 Internet Security Gateway Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
Page 166: The Big Picture - Filtering, Firewall And Nat
You must configure Menu 24.10 for real time; hh:mm:ss e.g., 00:00:00 otherwise the clock started at Jan 1 70, 00:00:00 the last time the ZyWALL 10 was reset. Packet This field lists packet information such as protocol and From and To IP addresses...
Page 167: Packet Filtering Vs Firewall
ZyWALL 10 Internet Security Gateway Figure 14-5 Big Picture - Filtering, Firewall and NAT 14.3 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 14.3.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 168: Firewall
ZyWALL 10 Internet Security Gateway When To Use Filtering To block/allow LAN packets by their MAC address. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 170: Chapter 15 Introducing The Zywall Web Configurator
ZyWALL 10 Internet Security Gateway Chapter 15 Introducing the ZyWALL Web Configurator This chapter shows you how to configure your firewall with the Web Configurator. 15.1 Web Configurator Login and Welcome Screens Launch your web browser and enter 192.168.1.1 as the URL. This is the factory default IP of the ZyWALL when shipped.
Page 171: Enabling The Firewall
ZyWALL 10 Internet Security Gateway After a successful login, you will see the Welcome screen shown next. Figure 15-2 ZyWALL Web Configurator Welcome Screen 15.2 Enabling the Firewall Click Firewall, then Configuration, then the Rule Config tab to enable the firewall as seen in the following screen.
Page 172: E-Mail
ZyWALL 10 Internet Security Gateway Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent. 15.3.1 What are Alerts? Alerts are reports on events such as attacks, which you may want to know about right away.
Page 173: What Are Logs
ZyWALL 10 Internet Security Gateway 15.3.2 What are Logs? A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 16-4). You can also choose not to create a log for a rule in this screen.
Page 174: Table 15-1 E-Mail
ZyWALL 10 Internet Security Gateway Table 15-1 E-Mail Field Description Options Address Information Mail Server Enter the IP address of your mail server in dot decimal format. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via E-mail.
Page 175: Smtp Error Messages
ZyWALL 10 Internet Security Gateway 15.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the accompanying CD for information on other types of error messages. E-mail error messages appear as "SMTP action request failed. ret= ??" where ?? is described in the following table.
Page 176: Attack Alert
ZyWALL 10 Internet Security Gateway Subject: You may edit the Firewall Alert From ZyWALL subject title Date: The date format Fri, 07 Apr 2000 10:05:42 here is From: user@zyxel.com Date-Month-Year The date format user@zyxel.com here is 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default permit |forward...
Page 177: Threshold Values
ZyWALL 10 Internet Security Gateway You can use the default threshold values, or you can change them to values more suitable to your security requirements. 15.4.1 Threshold Values: You really just need to tune these parameters when something is not working and after you have checked the firewall counters.
Page 178: Figure 15-6 Attack Alert
ZyWALL 10 Internet Security Gateway The ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
Page 179: Table 15-3 Attack Alert
ZyWALL 10 Internet Security Gateway Table 15-3 Attack Alert Field Description Default Values Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected.
Page 180 ZyWALL 10 Internet Security Gateway Field Description Default Values rises above this number, the ZyWALL half-open sessions when deletes half-open sessions as required to the number of existing accommodate new connection requests. half-open sessions rises Do not set Maximum Incomplete High to...
Page 182: Chapter 16 Creating Custom Rules
ZyWALL 10 Internet Security Gateway Chapter 16 Creating Custom Rules 16.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the ZyWALL’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
Page 183: Security Ramifications
ZyWALL 10 Internet Security Gateway What computers on the LAN are to be affected (if any)? What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 184: Connection Direction
ZyWALL 10 Internet Security Gateway 16.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 16.3.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN.
Page 185: Services Supported
ZyWALL 10 Internet Security Gateway Figure 16-2 WAN to LAN Traffic 16.4 Services Supported The list box in the Rule Config(uration) screen (see Figure 16-4) displays all services that the ZyWALL supports. Custom services may also be configured using the Custom Ports function discussed later. Next to the name of the protocol, two fields appear in brackets.
Page 186: Table 16-1 Services Supported
ZyWALL 10 Internet Security Gateway Table 16-1 Services Supported SERVICE DESCRIPTION BGP(TCP:179) Border Gateway Protocol BOOTP_CLIENT(UDP:68) DHCP Client BOOTP_SERVER(UDP:67) DHCP Server CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software. DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g.
Page 187: Rule Summary
ZyWALL 10 Internet Security Gateway 16.5 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet, so the discussion below refers to both. Click on Firewall, then Local Network to bring up the following screen. This screen is a summary of the existing rules.
Page 188: Table 16-2 Firewall Rules Summary - First Screen
ZyWALL 10 Internet Security Gateway Table 16-2 Firewall Rules Summary - First Screen Field Description Option General Name This is the name of the firewall rule set. Default Permit Log Check this box to log all matched rules in the ACL default set.
Page 189: Creating/Editing Firewall Rules
ZyWALL 10 Internet Security Gateway Field Description Option section 16.5.1 for more details. Delete Press this button to delete an existing firewall rule. Note that subsequent firewall rules move up by one when you take this action. Move Rule You may reorder your rules using this function.
Page 190: Figure 16-4 Creating/Editing A Firewall Rule
ZyWALL 10 Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Creating/Editing A Firewall Rule Field Description Option Press SrcAdd to add a new address, SrcAdd Source Address SrcEdit to edit an existing one or SrcDelete SrcEdit to delete one. Please see the next section...
Page 191: Source & Destination Addresses
ZyWALL 10 Internet Security Gateway Field Description Option from the Available Services box on the left, then press >> to select it. The selected service shows up on the Selected Services box on the right. To remove a service, click on it in the Selected Services box on the right, then press <<.
Page 192: Figure 16-5 Adding/Editing Source & Destination Addresses
ZyWALL 10 Internet Security Gateway Figure 16-5 Adding/Editing Source & Destination Addresses Table 16-4 Adding/Editing Source & Destination Addresses Field Description Option Single Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to Range Address 192.169.1.50), a subnet or any IP address? Select an option...
Page 193: Timeout
ZyWALL 10 Internet Security Gateway When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the discussion below refers to both.
Page 194: Table 16-5 Timeout Menu
ZyWALL 10 Internet Security Gateway Table 16-5 Timeout Menu Field Description Default Value TCP Timeout Values Connection Timeout This is the length of time the ZyWALL waits for a TCP 30 seconds session to reach the established state before dropping the session.
Page 196: Chapter 17 Custom Ports
ZyWALL 10 Internet Security Gateway Chapter 17 Custom Ports 17.1 Introduction Configure customized ports for services not supported by the ZyWALL (see Figure 16-4). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
Page 197: Creating/Editing A Custom Port
ZyWALL 10 Internet Security Gateway Table 17-1 Custom Ports Field Description Customized Services This is the number of your customized port. Name This is the name of your customized port. Protocol This shows the IP protocol (TCP, UDP or Both) that defines your customized port.
Page 198: Figure 17-2 Creating/Editing A Custom Port
ZyWALL 10 Internet Security Gateway Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen. Custom Ports 17-3...
Page 199: Table 17-2 Creating/Editing A Custom Port
ZyWALL 10 Internet Security Gateway Table 17-2 Creating/Editing A Custom Port Field Description Option Service Name Enter a unique name for your custom port. Choose the IP port (TCP, UDP or Both) that Service Type defines your customized port from the drop down list box.
Page 200: Chapter 18 Logs
ZyWALL 10 Internet Security Gateway Chapter 18 Logs 18.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 16-4). Click on the Logs to bring up the next screen. Firewall logs may also be viewed in SMT Menu 21.3 (see section 14.1.1) or via syslog (SMT Menu 24.3.2 - System Maintenance - UNIX...
Page 201: Table 18-1 Log Screen
ZyWALL 10 Internet Security Gateway Table 18-1 Log Screen Field Description This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost.
Page 202 ZyWALL 10 Internet Security Gateway Field Description When you have finished viewing this screen, click another link to exit. Logs 18-3...
Page 204: Chapter 19 Example Firewall Rules
ZyWALL 10 Internet Security Gateway Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever you open a hole in the firewall to forward a service from the Internet to the local network, and NAT is also enabled, you may have to also configure a server behind NAT using SMT menu 15.2.
Page 205: Figure 19-1 Activate The Firewall
ZyWALL 10 Internet Security Gateway Check here to activate the firewall. You may also activate the firewall in SMT menu 21.2. Figure 19-1 Activate The Firewall Step 2. Configure your E-mail screen as follows. Click the E-Mail tab to bring up the next screen.
Page 206: Figure 19-2 Example 1 - E-Mail Screen
ZyWALL 10 Internet Security Gateway Enter 10.100.1.2, the IP address of the mail server here. Enter a subject for these e-mails here. This is where we send the alerts. We want to send an alert at this time. Figure 19-2 Example 1 - E-Mail Screen Step 3.
Page 207: Figure 19-3 Example 1 - Configuring A Rule
ZyWALL 10 Internet Security Gateway This is an Internet to Click DestAdd to Local Network rule. configure the destination address as the IP of our server on the LAN. See the next screen. Select this service (web service) from the...
Page 208: Figure 19-4 Example 1: Destination Address For Traffic Originating From The Internet
ZyWALL 10 Internet Security Gateway 10.100.1.2 is the IP of our server on the LAN (supporting FTP, HTTP, Telnet and mail services) to which we wish to forward traffic originating from the Internet. Figure 19-4 Example 1: Destination Address for Traffic Originating From The Internet...
Page 209: Example 2 - Small Office With Mail, Ftp And Web Servers
ACL Default Set. The first rule is a default rule to allow DHCP negotiation between the ISP and the ZyWALL 10. The Click Apply in this screen when you second rule is what we configured have finished configuring to save your in the last 2 screens.
Page 210: Figure 19-6 Send Alerts When Attacked
ZyWALL 10 Internet Security Gateway Step 1. First you want to send alerts when there is an attack. Go to the Attack Alert screen (click Configuration, then the Attack Alert tab) shown next. Check this box to send alerts when there is an attack.
Page 211: Figure 19-7 Configuring A Pop Custom Port
ZyWALL 10 Internet Security Gateway Figure 19-7 Configuring A POP Custom Port Type a name for this custom port and select TCP service. Click Single and enter a port number of 110. Click Apply when you’ve finished. Step 4. Now, you will create rules to block all outgoing traffic (from the local network to the Internet) except for traffic originating from the HTTP proxy server and our mail server.
Page 212: Figure 19-8 Example 2 - Local Network Rule 1 Configuration
ZyWALL 10 Internet Security Gateway This is the IP of our mail server. We select these mail services. Note that our customized service has an “*” before the name to distinguish it as such. We want to forward Click Apply packets that match when finished.
Page 213: Figure 19-9 Example 2 - Local Network Rule Summary
ZyWALL 10 Internet Security Gateway Check this box to log all matched rules in the ACL Default Set. Rules 1 forwards SMTP and POP traffic from our mail server and Rule 2 forwards HTTP traffic from the proxy web server. You don’t want a log.
Page 214: Example 3: Dhcp Negotiation And Syslog Connection From The Internet
19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rules examples to: Allow DHCP negotiation between the ISP and the ZyWALL 10. Allow a syslog connection from the Internet. Step 1. Follow the procedure shown next to first configure a custom port.
Page 215: Figure 19-11 Custom Port For Syslog
ZyWALL 10 Internet Security Gateway Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. Figure 19-11 Custom Port for Syslog Step 2.
Page 216: Figure 19-12 Syslog Rule Configuration
ZyWALL 10 Internet Security Gateway This is the address range of the syslog servers. This is our Syslog custom port. Click Apply when finished. Figure 19-12 Syslog Rule Configuration Example Firewall Rules 19-13...
Page 217: Figure 19-13 Example 3 Rule Summary
ZyWALL 10 Internet Security Gateway Rule 1: Allow DHCP negotiation between the ISP and the ZyWALL 10. Rule 2: Allow a syslog connection from the WAN. Click Apply to save your settings back to the ZyWALL. Figure 19-13 Example 3 Rule Summary...
Page 218: Chapter 20 Content Filtering
ZyWALL 10 Internet Security Gateway Chapter 20 Content Filtering The ZyWALL can block web features such as ActiveX controls, Java applets, cookies as well as disable web proxies. The ZyWALL can also block specific URLs. Please note that content filtering means the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.
Page 219: Cookies
ZyWALL 10 Internet Security Gateway 20.1.3 Cookies Cookies are used by Web servers to track usage. Cookies provide service based on ID. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities.
Page 220: Figure 20-1 Content Filtering Screen
ZyWALL 10 Internet Security Gateway Figure 20-1 Content Filtering Screen Table 20-1 Content Filtering Fields Field Description Restrict Web Features Check the box(es) to restrict that feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.
Page 221: Troubleshooting, Appendices, Glossary And Index
Troubleshooting, Appendices, Glossary and Index Part V: Troubleshooting, Appendices, Glossary and Index Chapter 21 provides information about solving common problems, followed by some Appendices, a Glossary of Terms and an Index.
Page 223: Chapter 21 Troubleshooting
ZyWALL 10 Internet Security Gateway Chapter 21 Troubleshooting This chapter covers the potential problems you may run into and the possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our supporting disk for further information.
Page 224: Problems With The Lan Interface
ZyWALL 10 Internet Security Gateway 21.2 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface Problem Corrective Action Can’t ping any workstation on the Check the 10M/100M LEDs on the front panel. One of these LEDs should be on. If they are both off, check the cables between your ZyWALL and hub or the station.
Page 225: Problems With Internet Access
ZyWALL 10 Internet Security Gateway 21.4 Problems with Internet Access Table 21-4 Troubleshooting Internet Access Problem Corrective Action Cannot access the Connect your Cable/xDSL modem with the ZyWALL using Internet. appropriate cable. Check with the manufacturer of your Cable/xDSL modem about the cable requirement because for some modems you may require crossover cable and for others regular patch cable.
Page 227: Appendix Apppoe
ZyWALL 10 Internet Security Gateway Appendix A PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure).
Page 228 ZyWALL 10 Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 229: Appendix Bpptp
ZyWALL 10 Internet Security Gateway Appendix B PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 230 ZyWALL 10 Internet Security Gateway Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
Page 231: Appendix C Hardware Specifications
ZyWALL 10 Internet Security Gateway Appendix C Hardware Specifications Power Specification I/P AC 120V / 60Hz ; O/P DC 12V 1200 mA MTBF 100000 hrs Operation Temperature 0º C ~ 40º C Ethernet Specification for 10Mbit Half Duplex 10/100 Mbit Half / Full Auto-negotiation Ethernet Specification for Console Port RS –...
Page 232: Appendix D Important Safety Instructions
ZyWALL 10 Internet Security Gateway Appendix D Important Safety Instructions The following safety instructions apply to the ZyWALL: Be sure to read and follow all warning notices and instructions. The maximum recommended ambient temperature for the ZyWALL is 40º(104º). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 233: Appendix E Firewall Cli Commands
ZyWALL 10 Internet Security Gateway Appendix E Firewall CLI Commands The following table describes the syntax used to configure your firewall using Command Line Interface (CLI) commands. Select option 24.8 Command Interpreter Mode from the Main Menu to go into CLI mode.
Page 234 ZyWALL 10 Internet Security Gateway Function CLI Syntax Description Edits the mail address which you want to send the alert to config edit firewall e-mail email-to <e-mail address> Edits whether the current firewall traffic log contents are sent config edit firewall e-mail through e-mail when the log is full, hourly, daily, or weekly.
Page 235 ZyWALL 10 Internet Security Gateway Function CLI Syntax Description Edits whether a packet is dropped or allowed through, when config edit firewall set <set #> it does not meet a rule within the set default-permit <forward | block> Edits the time limit, in seconds, for an idle ICMP session, config edit firewall set <set #>...
Page 236 ZyWALL 10 Internet Security Gateway Function CLI Syntax Description Selects and edits a source address and subnet mask of config edit firewall set <set #> traffic which comply to this rule rule <rule #> srcaddr-subnet <ip address> <subnet mask> Selects and edits a source address range of traffic which config edit firewall set <set #>...
Page 237 ZyWALL 10 Internet Security Gateway Function CLI Syntax Description Removes all the settings for e-mail alert config delete firewall e-mail Resets all the settings for attack to default setting config delete firewall attack Removes the specified set from the firewall configuration config delete firewall set <set...
Page 238: Appendix F Power Adapter Specs
ZyWALL 10 Internet Security Gateway Appendix F Power Adapter Specs AC Power Adapter Specifications North America AC Power Adapter model MW48-1201200 Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards Safety standards: UL, CUL (UL 1310, CSA C22.2 No.233-M91)
Page 239 ZyWALL 10 Internet Security Gateway Japan AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Japan standards Safety standards: T-Mark Australia and New Zealand AC Power Adapter model AD-1201200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A...
Page 240: Glossary Of Terms
ZyWALL 10 Internet Security Gateway Glossary of Terms 10BaseT The 10-Mbps baseband Ethernet specification that uses two pairs of twisted-pair cabling (Category 3 or 5): one pair for transmitting data and the other for receiving data. Address Resolution Protocol is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
Page 241 ZyWALL 10 Internet Security Gateway Cookie A string of characters saved by a web browser on the user's hard disk. Many web pages send cookies to track specific user information. Cookies can be used to retain information as the user browses a web site. For example, cookies are used to 'remember' the items a shopper may have in a shopping cart.
Page 242 ZyWALL 10 Internet Security Gateway Digital Signature Digital code that authenticates whomever signed the document or software. Software, messages, Email, and other electronic documents can be signed electronically so that they cannot be altered by anyone else. If someone alters a signed document, the signature is no longer valid.
Page 243 ZyWALL 10 Internet Security Gateway Events These are network activities. Some activities are direct attacks on your system, while others might be depending on the circumstances. Therefore, any activity, regardless of severity is called an event. An event may or may not be a direct attack on your system.
Page 244 ZyWALL 10 Internet Security Gateway Integrity Proof that the data is the same as originally intended. Unauthorized software or people have not altered the original information. internet (Lower case i) Any time you connect 2 or more networks together, you have an internet.
Page 245 ZyWALL 10 Internet Security Gateway same as your Ethernet address.) The MAC layer frames data for transmission over the network, then passes the frame to the physical layer interface where it is transmitted as a stream of bits. Name Resolution The allocation of an IP address to a host name.
Page 246 ZyWALL 10 Internet Security Gateway This category of computer criminal includes several different types of illegal activities Making copies of software for others to use. Distributing pirated software over the Internet or a Bulletin Board System. Receiving or downloading illegal copies of software in any form.
Page 247 ZyWALL 10 Internet Security Gateway Proxy Server A server that performs network operations in lieu of other systems on the network. Proxy Servers are most often used as part of a firewall to mask the identity of users inside a corporate network yet still provide access to the Internet. When a user connects to a proxy server, via a web browser or other networked application, he submits commands to the proxy server.
Page 248 ZyWALL 10 Internet Security Gateway security flaws in their network systems. Server A computer, or a software package, that provides a specific kind of service to client software running on other computers. Shoulder Surfing Looking over someone's shoulder to see the numbers they dial on a phone, or the information they enter into a computer.
Page 249 ZyWALL 10 Internet Security Gateway TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP (File Transfer Protocol), but it is scaled back in functionality so that it requires fewer resources to run. TFTP uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
Page 250: Index
ZyWALL 10 Internet Security Gateway Index Configuring A POP Custom Port.....19-8 Configuring A Rule..........19-5 console port ............2-3 Console Port ........2-3, 9-4, 9-5, E Action for Matched Packets......16-10 Content Filtering..........20-1 Activate The Firewall ........19-2 Cookies............20-2 ActiveX ............20-1 Custom Ports Add Domain Name..........20-3 Creating/Editing ..........
Page 251 ZyWALL 10 Internet Security Gateway E-Mail tab ............15-4 Encapsulation PPP over Ethernet ...........A General Setup ...........2-7 Ethernet Encapsulation ............. 3-8, 4-1, 4-5, 4-6, 4-10, 6-12, 6-13 Example E-Mail Log ........15-6 Examples............19-1 Half-Open Sessions ........15-8 Hidden Menus ...........2-5 HTTP.....6-14, 13-1, 13-3, 13-4, Q, T, W...
Page 252 ZyWALL 10 Internet Security Gateway LAN Setup......2-6, 2-11, 2-12, 3-4, 3-5 One Minute High ...........15-10 LAN to WAN Rules..........16-3 One Minute Low..........15-10 LAND..........13-4, 13-5, 14-2 one-minute high ..........15-8 Local Network Rule Summary............ 16-6 log ..............9-5 Log Facility ............9-7 Packet Filtering Firewalls ........13-1...
Page 253 ZyWALL 10 Internet Security Gateway System Name............2-9 System Status ...........9-2 Safety Instructions ..........F System Timeout ..........12-2 Safety Instructions ..........F saving the state ..........13-6 Security In General........13-10 Security Ramifications ........16-2 TCP Maximum Incomplete ..15-8, 15-9, 15-11 Send Alerts When Attacked......
Page 254 WAN to LAN Rules..........16-3 ZyNOS ..... 2-11, 6-4, 6-6, 9-3, 9-5, 10-1, 10-2 Web Configurator ..........ZyNOS F/W Version ......9-3, 9-5, 10-1 ...13-9, See ZyWALL 10 Web Configurator ZyWALL 10 Firewall Application .....13-3 Web Proxy............20-2 ZyWALL 10 Web Configurator .......

ZyXEL Communications ZyWALL 10 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Hardware Installation & Initial Setup

Chapter 3 Internet Access

Chapter 4 Remote Node Setup

Chapter 5 IP Static Route Setup

Chapter 6 Network Address Translation (NAT)

Chapter 7 Filter Configuration

Chapter 8 SNMP Configuration

Chapter 9 System Information & Diagnosis

Chapter 10 Transferring Files

Chapter 11 System Maintenance & Information

Chapter 12 Telnet Configuration and Capabilities

Chapter 13 What Is a Firewall

Chapter 14 Introducing the Zywall Firewall

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL 10

Summary of Contents for ZyXEL Communications ZyWALL 10