Page 1 ZyWALL 1050 Internet Security Appliance User’s Guide Version 2.11 11/2008 Edition 1 DEFAULT LOGIN LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
Page 3: About This User's Guide
It is recommended you use the Web Configurator to configure the ZyWALL. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • Supporting Disc ZyWALL 1050 User’s Guide...
Page 4 Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL 1050 User’s Guide...
Page 5: Document Conventions
Syntax Conventions • The ZyWALL 1050 may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL 1050 User’s Guide...
Page 7: Safety Warnings
For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product. • Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device. ZyWALL 1050 User’s Guide...
Page 8 Safety Warnings This product is recyclable. Dispose of it properly. ZyWALL 1050 User’s Guide...
Page 9: Table Of Contents
SSL VPN ..........................355 SSL User Screens ........................365 SSL User Application Screens ....................371 SSL User File Sharing ......................373 L2TP VPN ..........................379 L2TP VPN Example ......................... 383 Application Patrol ........................ 411 Application Patrol ........................413 ZyWALL 1050 User’s Guide...
Page 10 System ........................... 637 Maintenance, Troubleshooting, & Specifications ............. 679 File Manager ........................... 681 Logs ............................691 Reports ........................... 701 Diagnostics ..........................717 Reboot ............................. 719 Troubleshooting ........................721 Product Specifications ......................725 Appendices and Index ......................731 ZyWALL 1050 User’s Guide...
Page 11: Table Of Contents
2.2.4 Interface to Interface (To VPN Tunnel) ............... 60 2.3 Applications ......................... 60 2.3.1 VPN Connectivity ....................... 60 2.3.2 SSL VPN Network Access ..................61 2.3.3 User-Aware Access Control ..................62 2.3.4 Multiple WAN Interfaces ..................... 63 2.3.5 Device HA ........................63 ZyWALL 1050 User’s Guide...
Page 12 5.2.2 Default Interface and Zone Configuration ..............109 5.3 Terminology in the ZyWALL ....................110 5.4 Feature Configuration Overview ..................110 5.4.1 Feature ........................110 5.4.2 Interface ........................111 5.4.3 Trunks ........................112 5.4.4 IPSec VPN ........................112 5.4.5 SSL VPN ........................112 ZyWALL 1050 User’s Guide...
Page 13 6.2.5 Set up the Zone for the VPN Tunnel ................ 133 6.3 How to Configure User-aware Access Control ..............134 6.3.1 Set Up User Accounts ....................134 6.3.2 Set Up User Groups ....................134 6.3.3 Set Up User Authentication Using the RADIUS Server ........... 135 ZyWALL 1050 User’s Guide...
Page 14 8.1.1 What You Can Do in the Registration Screens ............167 8.1.2 What you Need to Know About Service Registration ..........167 8.2 The Registration Screen ....................168 8.3 The Service Screen ......................170 Chapter 9 Signature Update ........................173 ZyWALL 1050 User’s Guide...
Page 15 10.11.1 Bridge Overview ....................217 10.11.2 Bridge Interface Overview ..................218 10.11.3 Bridge Summary ....................219 10.11.4 Bridge Add/Edit ....................220 10.12 Auxiliary Interface ......................224 10.12.1 Auxiliary Interface Overview ................. 224 10.12.2 Configuring the Auxiliary Interface ............... 224 ZyWALL 1050 User’s Guide...
Page 16 14.1.1 What You Can Do in the Zones Screens ..............261 14.1.2 What You Need to Know About Zones ..............262 14.2 The Zone Screen ......................263 14.3 Zone Add/Edit ......................... 263 Chapter 15 DDNS............................265 ZyWALL 1050 User’s Guide...
Page 17 19.1.2 What You Need to Know About IP/MAC Binding ........... 298 19.2 IP/MAC Binding Summary ....................298 19.2.1 IP/MAC Binding Edit ....................299 19.2.2 Static DHCP Edit ....................300 19.3 IP/MAC Binding Exempt List ................... 300 19.4 IP/MAC Binding Monitor ....................301 ZyWALL 1050 User’s Guide...
Page 18 22.1.2 What You Need to Know About SSL VPN .............. 355 22.2 The SSL Access Privilege Screen ................... 358 22.2.1 The SSL Access Policy Add/Edit Screen .............. 359 22.3 The SSL Connection Monitor Screen ................361 ZyWALL 1050 User’s Guide...
Page 19 26.2 L2TP VPN Screen ......................381 26.3 L2TP VPN Session Monitor Screen ................382 Chapter 27 L2TP VPN Example ....................... 383 27.1 L2TP VPN Example ......................383 27.2 Configuring the Default L2TP VPN Gateway Example ............ 384 ZyWALL 1050 User’s Guide...
Page 20 29.2.1 Anti-Virus Policy Add or Edit Screen ..............444 29.3 Anti-Virus Black List ......................446 29.4 Anti-Virus Black List or White List Add/Edit ..............447 29.5 Anti-Virus White List ......................448 29.6 Signature Searching ......................449 ZyWALL 1050 User’s Guide...
Page 21 31.2 The ADP General Screen ....................482 31.2.1 Configuring ADP Policies ..................483 31.3 The Profile Summary Screen ..................484 31.3.1 Base Profiles ......................484 31.3.2 Configuring The ADP Profile Summary Screen ............. 485 31.3.3 Creating New ADP Profiles ..................485 ZyWALL 1050 User’s Guide...
Page 22 34.4.2 Regular Expressions in Black or White List Entries ..........535 34.5 The Anti-Spam White List Screen ..................536 34.6 The DNSBL Screen ......................537 34.6.1 The DNSBL Add/Edit Screen ................. 539 34.7 The Anti-Spam Status Screen ..................540 Part VII: Device HA................541 ZyWALL 1050 User’s Guide...
Page 23 37.1.2 What You Need To Know About Addresses /Groups ..........575 37.2 Address Summary Screen ....................575 37.2.1 Address Add/Edit Screen ..................576 37.3 Address Group Summary Screen ..................577 37.3.1 Address Group Add/Edit Screen ................578 Chapter 38 Services ..........................581 ZyWALL 1050 User’s Guide...
Page 24 41.1.1 What You Can Do Using The Auth. Method Screens ..........603 41.1.2 Before You Begin ....................603 41.1.3 Example: Selecting a VPN Authentication Method ..........603 41.2 Viewing Authentication Method Objects ................604 41.3 Creating an Authentication Method Object ..............605 Chapter 42 Certificates ..........................607 ZyWALL 1050 User’s Guide...
Page 25 45.1.1 What You Can Do In The System Screens ............637 45.2 Host Name ........................638 45.3 Date and Time ........................ 639 45.3.1 Pre-defined NTP Time Servers List ................ 641 45.3.2 Time Server Synchronization ................. 641 45.4 Console Port Speed ......................642 ZyWALL 1050 User’s Guide...
Page 26 45.10.3 Configuring SNMP ....................674 45.11 Dial-in Management ....................... 675 45.11.1 Configuring Dial-in Mgmt ..................676 45.12 Vantage CNM ....................... 676 45.12.1 Configuring Vantage CNM ................... 677 45.13 Language Screen ......................678 Part X: Maintenance, Troubleshooting, & Specifications....679 ZyWALL 1050 User’s Guide...
Page 27 48.8 The Email Daily Report Screen ..................714 Chapter 49 Diagnostics........................... 717 49.1 The Diagnostics Screen ....................717 Chapter 50 Reboot............................ 719 50.1 Overview .......................... 719 50.1.1 What You Need To Know About Reboot ..............719 50.2 The Reboot Screen ......................719 ZyWALL 1050 User’s Guide...
Page 28 Appendix B Common Services..................... 789 Appendix C Displaying Anti-Virus Alert Messages in Windows..........793 Appendix D Importing Certificates..................799 Appendix E Open Software Announcements ............... 823 Appendix F Legal Information ....................861 Appendix G Customer Support .................... 865 Index............................871 ZyWALL 1050 User’s Guide...
Page 29: List Of Figures
List of Figures List of Figures Figure 1 ZyWALL 1050 Front Panel ....................... 53 Figure 2 Managing the ZyWALL: Web Configurator ................55 Figure 3 Applications: VPN Connectivity ....................61 Figure 4 Network Access Mode: Reverse Proxy ................... 61 Figure 5 Network Access Mode: Full Tunnel Mode ................62 Figure 6 Applications: User-Aware Access Control ................
Page 30 Figure 78 Object > Schedule > Add (Recurring) .................. 139 Figure 79 Firewall > LAN to DMZ ......................139 Figure 80 Firewall > LAN to DMZ > Add ....................140 Figure 81 Firewall > Add ........................140 ZyWALL 1050 User’s Guide...
Page 31 Figure 121 Licensing > Update > System Protect ................177 Figure 122 Downloading System Protect Signatures ................178 Figure 123 Successful System Protect Signature Download ............... 178 Figure 124 Network > Interface > Interface Summary ..............184 ZyWALL 1050 User’s Guide...
Page 32 Figure 163 Network > Routing > OSPF > Edit ..................258 Figure 164 Example: Zones ......................... 261 Figure 165 Network > Zone ......................263 Figure 166 Network > Zone > Edit ..................... 263 Figure 167 Network > DDNS ........................ 266 ZyWALL 1050 User’s Guide...
Page 33 Figure 206 Firewall Example: Create a Service Object .................311 Figure 207 Firewall Example: Edit a Firewall Rule ................311 Figure 208 Firewall Example: MyService Example Rule in Summary ...........311 Figure 209 Using Virtual Interfaces to Avoid Asymmetrical Routes ............. 312 Figure 210 Firewall ..........................313 ZyWALL 1050 User’s Guide...
Page 34 Figure 249 Logout: Connection Termination Progress ................ 370 Figure 250 Application ......................... 371 Figure 251 File Sharing ........................374 Figure 252 File Sharing: Enter Access User Name and Password ............ 374 Figure 253 File Sharing: Open a Word File ..................375 ZyWALL 1050 User’s Guide...
Page 35 Figure 293 IP Security Policy: Request for Secure Communication ............ 398 Figure 294 IP Security Policy: Completing the IP Security Policy Wizard ..........399 Figure 295 IP Security Policy Properties > Add ..................399 Figure 296 IP Security Policy Properties: Tunnel Endpoint ..............400 ZyWALL 1050 User’s Guide...
Page 36 Figure 337 Anti-X > Anti-Virus > General > Add .................. 444 Figure 338 Anti-X > Anti-Virus > Black/White List > Black List ............. 446 Figure 339 Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add ......447 ZyWALL 1050 User’s Guide...
Page 37 Figure 378 myZyXEL.com: Welcome ....................521 Figure 379 myZyXEL.com: Service Management ................522 Figure 380 Content Filter Reports Main Screen ................... 522 Figure 381 Content Filter Reports: Report Home ................. 523 Figure 382 Global Report Screen Example ..................524 ZyWALL 1050 User’s Guide...
Page 38 Figure 422 Object > Schedule > Edit (One Time) ................. 589 Figure 423 Object > Schedule > Edit (Recurring) ................. 590 Figure 424 Example: Directory Service Client and Server ..............593 Figure 425 RADIUS Server Network Example ..................594 ZyWALL 1050 User’s Guide...
Page 39 Figure 464 System > Service Control Rule > Edit ................654 Figure 465 System > WWW > Login Page ................... 655 Figure 466 Login Page Customization ....................656 Figure 467 Access Page Customization ....................656 Figure 468 Security Alert Dialog Box (Internet Explorer) ..............658 ZyWALL 1050 User’s Guide...
Page 40 Figure 509 Maintenance > Log > Log Setting ..................694 Figure 510 Maintenance > Log > Log Setting > Edit (System Log) ............696 Figure 511 Maintenance > Log > Log Setting > Edit (Remote Server) ..........698 ZyWALL 1050 User’s Guide...
Page 41 Figure 550 Internet Explorer 7: Open File - Security Warning .............. 805 Figure 551 Internet Explorer 7: Tools Menu ..................806 Figure 552 Internet Explorer 7: Internet Options .................. 806 Figure 553 Internet Explorer 7: Certificates ..................807 Figure 554 Internet Explorer 7: Certificates ..................807 ZyWALL 1050 User’s Guide...
Page 42 Figure 580 Konqueror 3.5: Public Key Certificate File ................820 Figure 581 Konqueror 3.5: Certificate Import Result ................820 Figure 582 Konqueror 3.5: Kleopatra ....................820 Figure 583 Konqueror 3.5: Settings Menu .................... 821 Figure 584 Konqueror 3.5: Configure ....................821 ZyWALL 1050 User’s Guide...
Page 43: List Of Tables
Table 34 User-aware Access Control Example ................... 134 Table 35 Status ............................ 154 Table 36 Status > CPU Usage ......................158 Table 37 Status > Memory Usage ......................159 Table 38 Status > Session Usage ......................160 ZyWALL 1050 User’s Guide...
Page 44 Table 78 Network > Routing > Static Route ..................246 Table 79 Network > Routing > Static Route > Add ................247 Table 80 RIP vs. OSPF ........................251 Table 81 Network > Routing Protocol > RIP ..................252 ZyWALL 1050 User’s Guide...
Page 45 Table 121 VPN > SSL VPN > Access Privilege ................... 358 Table 122 VPN > SSL VPN > Access Privilege > Add/Edit ..............359 Table 123 VPN > SSL VPN > Connection Monitor ................361 Table 124 VPN > SSL VPN > Global Setting ..................362 ZyWALL 1050 User’s Guide...
Page 46 Table 164 ADP > Profile > Protocol Anomaly ..................490 Table 165 HTTP Inspection and TCP/UDP/ICMP Decoders ............... 494 Table 166 Anti-X > Content Filter > General ..................499 Table 167 Anti-X > Content Filter > General > Add ................501 ZyWALL 1050 User’s Guide...
Page 47 Table 208 Object > AAA Server > Active Directory (or LDAP) > Group > Add ........599 Table 209 Object > AAA Server > RADIUS > Default ................600 Table 210 Object > AAA Server > RADIUS > Group ................601 ZyWALL 1050 User’s Guide...
Page 48 Table 251 Maintenance > Log > Log Setting ..................695 Table 252 Maintenance > Log > Log Setting > Edit (System Log) ............696 Table 253 Maintenance > Log > Log Setting > Edit (Remote Server) ..........698 ZyWALL 1050 User’s Guide...
Page 49 Table 291 NAT Logs ..........................776 Table 292 PKI Logs ..........................777 Table 293 Interface Logs ........................780 Table 294 WLAN Logs ......................... 784 Table 295 Account Logs ........................785 Table 296 Port Grouping Logs ......................785 ZyWALL 1050 User’s Guide...
Page 50 Table 297 Force Authentication Logs ....................786 Table 298 File Manager Logs ......................786 Table 299 DHCP Logs ......................... 786 Table 300 E-mail Daily Report Logs ....................787 Table 301 IP-MAC Binding Logs ......................787 Table 302 Commonly Used Services ....................789 ZyWALL 1050 User’s Guide...
Page 51: Getting Started
Getting Started Introducing the ZyWALL (53) Features and Applications (57) Web Configurator (65) Configuration Basics (107) Tutorials (123) Status (153) Registration (167) Signature Update (173)
Page 53: Introducing The Zywall
Ethernet management interface can only be accessed from the LAN side by default. The default LAN IP address is 192.168.1.1; the default administrator login user name and password are “admin” and “1234” respectively. 1.2 Front Panel Figure 1 ZyWALL 1050 Front Panel ZyWALL 1050 User’s Guide...
Page 54: Front Panel Leds
1.3 Management Overview You can use the following ways to manage the ZyWALL. Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. ZyWALL 1050 User’s Guide...
Page 55: Starting And Stopping The Zywall
The ZyWALL writes all cached data to the local storage, reboot stops the system processes, and then does a warm start. Using the RESET If you press the RESET button, the ZyWALL sets the configuration to its button default values and then reboots. ZyWALL 1050 User’s Guide...
Page 56 When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts. ZyWALL 1050 User’s Guide...
Page 57: Features And Applications
The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. ZyWALL 1050 User’s Guide...
Page 58 The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e- mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. ZyWALL 1050 User’s Guide...
Page 59: Packet Flow
2.2.1 Interface to Interface (Through ZyWALL) Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP-> CF -> AV - > AS -> SNAT -> BWM -> Encap -> VLAN -> Ethernet ZyWALL 1050 User’s Guide...
Page 60: Interface To Interface (To/From Zywall)
2.3.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. ZyWALL 1050 User’s Guide...
Page 61: Ssl Vpn Network Access
URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy LAN (192.168.1.X) https;// Web Mail File Share Web-based Application ZyWALL 1050 User’s Guide...
Page 62: User-Aware Access Control
Application Non-Web Server 2.3.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 6 Applications: User-Aware Access Control ZyWALL 1050 User’s Guide...
Page 63: Multiple Wan Interfaces
In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network. Figure 8 Applications: Device HA ZyWALL 1050 User’s Guide...
Page 64 Chapter 2 Features and Applications ZyWALL 1050 User’s Guide...
Page 65: Web Configurator
2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 9 Login Screen ZyWALL 1050 User’s Guide...
Page 66: Figure 10 Update Admin Info Screen
If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 65) appears after you click Apply. If you click Ignore, the main screen appears. ZyWALL 1050 User’s Guide...
Page 67: Web Configurator Main Screen
ICON DESCRIPTION Help: Click this icon to open the help page for the current screen. Wizards: Click this icon to open one of the Web Configurator wizards. See Chapter 4 on page 75 for more information. ZyWALL 1050 User’s Guide...
Page 68: Navigation Panel
Use this screen to create and manage bridges and virtual bridge interfaces. Auxiliary Use this screen to manage the AUX port. Trunk Use this screen to create and manage trunks for load balancing and link HA. ZyWALL 1050 User’s Guide...
Page 69 Use this screen to configure the ZyWALL’s SSL VPN settings that apply to all connections. L2TP VPN L2TP VPN Use this screen to configure L2TP Over IPSec VPN settings. Session Monitor Use this screen to monitor current L2TP Over IPSec VPN sessions. ZyWALL 1050 User’s Guide...
Page 70 Use these screens to configure (the new) active-passive mode device HA. Mode Legacy Mode Use these screens to use legacy mode device HA with other ZyWALLs that already have device HA setup using a firmware version earlier than 2.10. Object ZyWALL 1050 User’s Guide...
Page 71 ZyWALL. TELNET Use this screen to configure the telnet server settings for the ZyWALL. Use this screen to configure the FTP server settings for the ZyWALL. SNMP Use this screen to configure SNMP communities and services. ZyWALL 1050 User’s Guide...
Page 72: Main Window
Status screen. 3.3.4 Message Bar The message bar displays configuration status information. Check the message bar after you click Apply or OK to verify that the configuration has been updated. Figure 12 Message Bar ZyWALL 1050 User’s Guide...
Page 73: Figure 13 Warning Messages
Click Clear Warning Messages to remove the current warning messages from the window. 3.3.4.2 CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. Figure 14 CLI Messages ZyWALL 1050 User’s Guide...
Page 74 Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the Web Configurator generated to enable it. Close the popup window when you are done with it. See the Command Reference Guide for information about the commands. ZyWALL 1050 User’s Guide...
Page 75: Wizard Setup
(see Load Balancing Algorithms on page 232 for more on load balancing). This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. This wizard also creates a WAN trunk. ZyWALL 1050 User’s Guide...
Page 76: Installation Setup, One Isp
The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Enter the Internet access information exactly as your ISP gave it to you. ZyWALL 1050 User’s Guide...
Page 77: Ethernet: Auto Ip Address Assignment
Click Back to return to the previous screen. Next Click Next to continue. 4.2.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. Click Next to apply the configuration settings. ZyWALL 1050 User’s Guide...
Page 78: Ethernet: Static Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.2 Ethernet: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL 1050 User’s Guide...
Page 79: Figure 18 Ethernet Encapsulation: Static
ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Enter the DNS server IP addresses. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL 1050 User’s Guide...
Page 80: Ppp Over Ethernet: Auto Ip Address Assignment
Alternatively, click Close to exit the wizard. 4.2.3 PPP Over Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next. ZyWALL 1050 User’s Guide...
Page 81: Figure 20 Pppoe Encapsulation: Auto
This field displays to which security zone this interface and Internet connection will belong. IP Address The ISP will assign your WAN IP address automatically Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL 1050 User’s Guide...
Page 82: Ppp Over Ethernet: Static Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.4 PPP Over Ethernet: Static IP Address Assignment If you select Static as the IP Address Assignment, the following screen displays. ZyWALL 1050 User’s Guide...
Page 83: Figure 22 Pppoe Encapsulation: Static
The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. ZyWALL 1050 User’s Guide...
Page 84: Pptp: Auto Ip Address Assignment
89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard. 4.2.5 PPTP: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. ZyWALL 1050 User’s Guide...
Page 85: Figure 24 Pptp Encapsulation: Auto
"n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_ characters, and it can be up to 31 characters long. ZyWALL 1050 User’s Guide...
Page 86: Figure 25 Pptp Encapsulation: Auto: Finish
Figure 25 PPTP Encapsulation: Auto: Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. ZyWALL 1050 User’s Guide...
Page 87: Pptp: Static Ip Address Assignment
Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?. Retype to Confirm Type your password again for confirmation. Nailed-Up Select Nailed-Up if you do not want the connection to time out. ZyWALL 1050 User’s Guide...
Page 88 DNS server, you must know the IP address of a machine in order to access it. Back Click Back to return to the previous screen. Next Click Next to continue. The ZyWALL applies the configuration settings. ZyWALL 1050 User’s Guide...
Page 89: Internet Access - Finish
4.3 Device Registration Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so. You must be connected to the Internet to register. ZyWALL 1050 User’s Guide...
Page 90: Figure 28 Registration
Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Code Select your country from the drop-down box list. ZyWALL 1050 User’s Guide...
Page 91: Installation Setup, Two Internet Service Providers
Internet Service Providers (ISPs) or two different accounts with the same ISP. The configuration of the following screens is explained in Section 4.2 on page 76 section. Configure the First WAN Interface and click Next. ZyWALL 1050 User’s Guide...
Page 92: Figure 30 Internet Access: Step 1: First Wan Interface
After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces. ZyWALL 1050 User’s Guide...
Page 93: Internet Access Wizard Setup Complete
Well done! You have successfully set up your ZyWALL to access the Internet. 4.5 VPN Setup The VPN wizard creates corresponding VPN connection and VPN gateway settings, a policy route and address objects that you can use later in configuring more VPN connections or other features. ZyWALL 1050 User’s Guide...
Page 94: Vpn Wizards
Use the Express wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Use the Advanced wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec devices. ZyWALL 1050 User’s Guide...
Page 95: Vpn Express Wizard
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL 1050 User’s Guide...
Page 96: Figure 35 Vpn Express Wizard: Step 3
IPSec router's configured local IP address (the local IP address of the other ZyWALL). To specify IP addresses on a network by their subnet mask, type the subnet mask of the LAN behind the remote gateway. ZyWALL 1050 User’s Guide...
Page 97: Figure 36 Vpn Express Wizard: Step 4
Local Policy This is a (static) IP address and Subnet Mask on the LAN behind your ZyWALL. Remote This is a (static) IP address and Subnet Mask on the network behind the remote Policy IPSec router. If this field displays Any, only the remote IPSec router can initiate the VPN connection. ZyWALL 1050 User’s Guide...
Page 98: Figure 37 Vpn Express Wizard: Step 6
Figure 37 VPN Express Wizard: Step 6 If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL 1050 User’s Guide...
Page 99: Vpn Advanced Wizard
Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) Access (Client and can initiate the VPN tunnel. Role) Back Click Back to return to the previous screen. Next Click Next to continue. ZyWALL 1050 User’s Guide...
Page 100: Figure 39 Vpn Advanced Wizard: Step 3
Select Main for identity protection. Select Aggressive to allow more incoming Mode connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. ZyWALL 1050 User’s Guide...
Page 101: Table 19 Vpn Advanced Wizard: Step 3
ZyWALL's list of certificates. Back Click Back to return to the previous screen. Next Click Next to continue. Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. ZyWALL 1050 User’s Guide...
Page 102: Figure 40 Vpn Advanced Wizard: Step 4
AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. Select Null to have no encryption. ZyWALL 1050 User’s Guide...
Page 103: Table 20 Vpn Advanced Wizard: Step 4
Click Back to return to the previous screen. Next Click Next to continue. This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. ZyWALL 1050 User’s Guide...
Page 104: Figure 41 Vpn Advanced Wizard: Step 5
VPN connection. See the commands reference guide for details on the commands displayed in this list. Back Click Back to return to the previous screen. Save Click Save to store the VPN settings on your ZyWALL. ZyWALL 1050 User’s Guide...
Page 105: Vpn Advanced Wizard - Finish
Now you can use the VPN tunnel. Figure 42 VPN Wizard: Step 6: Advanced If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. ZyWALL 1050 User’s Guide...
Page 106 Chapter 4 Wizard Setup ZyWALL 1050 User’s Guide...
Page 107: Configuration Basics
If you are in a screen that uses objects, you can also usually select Create Object to open a screen where you can configure a new object. For a list of common objects, see Section 5.5 on page 118. ZyWALL 1050 User’s Guide...
Page 108: Zones, Interfaces, And Physical Ports
• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge. ZyWALL 1050 User’s Guide...
Page 109: Default Interface And Zone Configuration
IP addresses to connect to the Internet. • The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5). The DMZ zone has servers that are available to the public. These interface uses 192.168.2.1 and 192.168.3.1. ZyWALL 1050 User’s Guide...
Page 110: Terminology In The Zywall
This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the related User’s Guide MENU ITEM(S) chapter for information about each screen. ZyWALL 1050 User’s Guide...
Page 111: Interface
WHERE USED redirect, virtual server, application patrol Example: Interface ge1 is in the LAN zone and uses a private IP address. To configure ge1’s settings, click Network > Interface > Ethernet and then ge1’s Edit icon. ZyWALL 1050 User’s Guide...
Page 112: Trunks
NAT, IP pool for assigning to clients, DNS and WINS server addresses), to- ZyWALL firewall, firewall The IPSec VPN connection used for L2TP VPN can be used in policy routes and WHERE USED zones Example: See Chapter 27 on page 383. ZyWALL 1050 User’s Guide...
Page 113: Zones
Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) ZyWALL 1050 User’s Guide...
Page 114: Static Routes
ZyWALL. The ZyWALL drops packets from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic. Firewall MENU ITEM(S) Zones, schedules, users, user groups, addresses (source, destination), address PREREQUISITES groups (source, destination), services, service groups ZyWALL 1050 User’s Guide...
Page 115: Application Patrol
With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob’s computer IP address as the source. ZyWALL 1050 User’s Guide...
Page 116: Anti-Virus
7 Select the Arts/Entertainment category (you need to click Advanced to display it). 8 Click OK. 9 Click General to go to the content filter general configuration screen. 10 Enable the content filter. ZyWALL 1050 User’s Guide...
Page 117: Anti-Spam
Network > HTTP Redirect MENU ITEM(S) Interfaces PREREQUISITES Example: Suppose you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80. 1 Click Network > HTTP Redirect. 2 Add an entry. ZyWALL 1050 User’s Guide...
Page 118: Alg
Policy routes (criteria), firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication VPN gateways (extended authentication), WWW (client authentication), L2TP methods certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN ZyWALL 1050 User’s Guide...
Page 119: User/Group
1 Create an administrator account (User/Group). 2 Create an address object for the administrator’s computer (Object > Address). 3 Click System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. ZyWALL 1050 User’s Guide...
Page 120: File Manager
It also provides statistical reports to track user activity, web site hits, virus traffic and intrusions and can e-mail them to you on a daily basis. Maintenance > Log, Report MENU ITEM(S) ZyWALL 1050 User’s Guide...
Page 121: Diagnostics
Chapter 5 Configuration Basics 5.6.6 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. Maintenance > Diagnostics MENU ITEM(S) ZyWALL 1050 User’s Guide...
Page 122 Chapter 5 Configuration Basics ZyWALL 1050 User’s Guide...
Page 123: Tutorials
6.1.1 Set up Port Grouping This example creates a port group in ge1 by adding physical port 2 to representative interface ge1. There are no existing port groups. 1 Click Network > Interface > Port Grouping. The following screen appears. ZyWALL 1050 User’s Guide...
Page 124: Figure 45 Network > Interface > Port Grouping, Initial
4 Click Status, and look at the Interface Status Summary, shown below. Ethernet interface ge1 has a status of Port Group Up, and Ethernet interface ge2 is disabled and has a Status of Port Group Inactive. ZyWALL 1050 User’s Guide...
Page 125: Set Up Ethernet Interfaces
1 Click Network > Interface > Ethernet. The following screen appears. Figure 48 Network > Interface > Ethernet, Initial 2 Click the Edit icon for ge4, as shown above, and set up the IP address as shown below. ZyWALL 1050 User’s Guide...
Page 126: Figure 49 Network > Interface > Ethernet > Ge4
Figure 51 Network > Interface > Ethernet > ge5 > DHCP Setting 5 Use the default values for the rest of the settings. Click Apply to save these changes and return to the previous screen. 6 Click Status and look at the Interface Status Summary, shown below. ZyWALL 1050 User’s Guide...
Page 127: Wan Trunk
3 Click the Member icon, as shown above. Select the ge2 and click the left arrow to remove it from the member list. Do the same for aux. Select ge4 and click the right arrow to add it to the member list. Then click OK. ZyWALL 1050 User’s Guide...
Page 128: Zones
1 Click Network > Zone. The following screen appears. Figure 56 Network > Zone, Initial 2 Click the Edit icon for DMZ, as shown above because you have to remove ge4 from the DMZ before you can add it to the WAN. ZyWALL 1050 User’s Guide...
Page 129: Figure 57 Network > Zone > Dmz, Remove Ge4
5 Select IFACE/ge4 and click the right arrow to add ge4 to the Member list. Click OK to save these changes and return to the previous screen. 6 Click Status and look at the Interface Status Summary, shown below. Figure 59 Status: Interface Status Summary After Zone Edits ZyWALL 1050 User’s Guide...
Page 130: Ipsec Vpn
Property section, select ge4 in the Interface field, and enter 220.123.143.10 in the first Secure Gateway Address field. In the Authentication Method section, the pre- shared key is 12345678, and the routers are using each other’s IP addresses for authentication. Click OK. ZyWALL 1050 User’s Guide...
Page 131: Set Up The Vpn Connection
130) in the VPN Gateway section. Use the default proposal settings in this example--ESP, Tunnel encapsulation, DES encryption, and SHA1 authentication--so do not change these settings. In the Policy section, select the address objects for the local and remote networks. Click OK. ZyWALL 1050 User’s Guide...
Page 132: Set Up The Policy Route For The Vpn Tunnel
2 Configure the policy route as shown next. This policy route applies to traffic from ge1. The source address and destination address must be the same ones represented by the address objects that you used in the VPN connection. The next-hop is the VPN connection that you created. Click OK. ZyWALL 1050 User’s Guide...
Page 133: Set Up The Zone For The Vpn Tunnel
ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). You did not enable NAT traversal, so you do not have to configure the firewalls to allow UDP port 4500. ZyWALL 1050 User’s Guide...
Page 134: How To Configure User-Aware Access Control
3 Repeat this process to set up the remaining user accounts. 6.3.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Object > User/Group > Group. Click the Add icon. ZyWALL 1050 User’s Guide...
Page 135: Set Up User Authentication Using The Radius Server
2 Click Object > Auth. method. Click the Add icon. 3 Give the new authentication method object a descriptive name, and click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK. ZyWALL 1050 User’s Guide...
Page 136: Set Up Web Surfing Policies With Bandwidth Restrictions
Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Licensing > Registration screens or using one of the wizards. ZyWALL 1050 User’s Guide...
Page 137: Figure 73 Apppatrol > General
3 Click the Default policy’s Edit icon. Figure 75 AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. ZyWALL 1050 User’s Guide...
Page 138: Set Up Msn Policies
1 Click Object > Schedule. Click the Add icon for recurring schedules. 2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. ZyWALL 1050 User’s Guide...
Page 139: Set Up Firewall Rules
The default rule for LAN-to-DMZ traffic allows all traffic. You want to limit access to specific groups, so change the default rule first. Click the Add icon next to it. Figure 79 Firewall > LAN to DMZ 2 Set the Access field to deny, and click OK. ZyWALL 1050 User’s Guide...
Page 140: How To Configure Service Control
If you configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access. 6.4.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN. ZyWALL 1050 User’s Guide...
Page 141: Figure 82 System > Www
2 In HTTPS Admin Service Control, click the Add icon. Figure 82 System > WWW 3 In the Zone field select LAN and click OK. Figure 83 System > WWW > Service Control Rule Edit 4 Click the new rule’s Add icon. ZyWALL 1050 User’s Guide...
Page 142: Figure 84 System > Www (First Example Admin Service Rule Configured)
Figure 84 System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK. Figure 85 System > WWW > Service Control Rule Edit 6 Click Apply. ZyWALL 1050 User’s Guide...
Page 143: How To Allow Incoming H.323 Peer-To-Peer Calls
(port forwarding) and firewall rules to have the ZyWALL forward H.323 traffic destined for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 87 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 ZyWALL 1050 User’s Guide...
Page 144: Turn On The Alg
1 Use Object > Address > Add to create address objects for the private and public IP addresses (WAN_IP-for-H323 and LAN_H323) as shown next. Figure 89 Create Address Objects 2 Click Network > Virtual Server > Add. 3 Configure the screen as follows and click OK. ZyWALL 1050 User’s Guide...
Page 145: Set Up A Firewall Rule For H.323
Figure 91 Firewall: WAN to LAN 3 Configure the screen as follows and click OK. LAN_H323 is the destination because the ZyWALL applies the virtual server to traffic before applying the firewall rule. ZyWALL 1050 User’s Guide...
Page 146: How To Use Active-Passive Device Ha
Each ZyWALL’s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup. ZyWALL A’s management IP address is 192.168.1.3 and ZyWALL B’s is 192.168.1.5. ZyWALL 1050 User’s Guide...
Page 147: Before You Start
3 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so turn on monitoring for the ge1 and ge2 interfaces. Enter a Synchronization Password (“mySyncPassword” in this example) and click Apply. ZyWALL 1050 User’s Guide...
Page 148: Configure The Backup Zywall
167 for more on the subscription services. 2 In ZyWALL B click Device HA > Active-Passive Mode. Click ge1’s Edit icon. 3 Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK. ZyWALL 1050 User’s Guide...
Page 149: Figure 98 Device Ha > Active-Passive Mode > Edit: Backup Zywall Example
Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “mySyncPassword”. Select Auto Synchronize and set the Interval to 60. Click Apply. Figure 99 Device HA > Active-Passive Mode: Backup ZyWALL Example 5 Click the General tab. Turn on device HA and click Apply. ZyWALL 1050 User’s Guide...
Page 150: Deploy The Backup Zywall
Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge3 interface and map it to the HTTP server’s private IP address of 192.168.3.7. Figure 101 Public Server Example Network Topology 192.168.3.7 1.1.1.2 ZyWALL 1050 User’s Guide...
Page 151: Create The Address Objects
NAT 1:1 Example on page 276 for details. • Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server. See NAT Loopback Example on page 280 for details. ZyWALL 1050 User’s Guide...
Page 152: Figure 104 Creating The Virtual Server
Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server. ZyWALL 1050 User’s Guide...
Page 153: Status
163) to look at a line graph of packet statistics for each physical port. • Use the Current Users screen (see Section 7.2.8 on page 165) to look at a list of the users currently logged into the ZyWALL. ZyWALL 1050 User’s Guide...
Page 154: The Status Screen
MAC address is assigned to physical port 2, and so on. Firmware This field displays the version number and date of the firmware the ZyWALL is Version currently running. Click the icon to open the screen where you can upload firmware. Section 46.3 on page 687. ZyWALL 1050 User’s Guide...
Page 155 IP address, this field displays n/a. Click the Disconnect icon to stop a PPPoE/PPTP or auxiliary interface’s connection. Extension Slot This section of the screen displays the status of the extension card slot and the USB ports. ZyWALL 1050 User’s Guide...
Page 156: Figure 105 Status
168. Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time ZyWALL 1050 User’s Guide...
Page 157 The number in brackets indicates how many times the signature has been matched. Click the hyperlink for more detailed information on the intrusion. Virus Detected This is the name of the virus that the ZyWALL has detected. ZyWALL 1050 User’s Guide...
Page 158: The Cpu Usage Screen
The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL 1050 User’s Guide...
Page 159: The Memory Usage Screen
The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL 1050 User’s Guide...
Page 160: The Session Usage Screen
The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL 1050 User’s Guide...
Page 161: The Vpn Status Screen
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL 1050 User’s Guide...
Page 162: The Dhcp Table Screen
Apply. To remove a static DHCP entry, clear this field, and then click Apply. Apply Click this to save your settings to the ZyWALL. Refresh Click this to update the screen immediately. ZyWALL 1050 User’s Guide...
Page 163: The Port Statistics Screen
Set Interval Click this to set the Poll Interval the screen uses. Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. ZyWALL 1050 User’s Guide...
Page 164: The Port Statistics Graph Screen
This field displays how long the ZyWALL has been running since it last restarted or was turned on. Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. ZyWALL 1050 User’s Guide...
Page 165: The Current Users Screen
This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL 1050 User’s Guide...
Page 166 Chapter 7 Status ZyWALL 1050 User’s Guide...
Page 167: Registration
ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on- line help for details. To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL 1050 User’s Guide...
Page 168: The Registration Screen
Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Licensing > Registration in the navigation panel to open the screen as shown next. Figure 114 Licensing > Registration ZyWALL 1050 User’s Guide...
Page 169: Table 44 Licensing > Registration
You can have the ZyWALL block, block and/or log access to web sites based on these categories. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL 1050 User’s Guide...
Page 170: The Service Screen
PIN number (license key) in this screen. Click Licensing > Registration > Service to open the screen as shown next. Figure 116 Licensing > Registration > Service ZyWALL 1050 User’s Guide...
Page 171: Table 45 Licensing > Registration > Service
(specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL 1050 User’s Guide...
Page 172 Chapter 8 Registration ZyWALL 1050 User’s Guide...
Page 173: Signature Update
• Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download new signatures. The ZyWALL does not have to reboot when you upload new signatures. ZyWALL 1050 User’s Guide...
Page 174: The Antivirus Update Screen
Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. Hourly Select this option to have the ZyWALL check for new signatures every hour. ZyWALL 1050 User’s Guide...
Page 175: The Idp/Apppatrol Update Screen
The following fields display information on the current signature set that the Information ZyWALL is using. Current This field displays the IDP signature and anomaly rule set version number. This Version number gets larger as the set is enhanced. ZyWALL 1050 User’s Guide...
Page 176: Figure 119 Downloading Idp Signatures
Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 119 Downloading IDP Signatures Figure 120 Successful IDP Signature Download ZyWALL 1050 User’s Guide...
Page 177: The System Protect Update Screen
Select this option to have the ZyWALL check for new signatures every hour. Daily Select this option to have the ZyWALL check for new signatures every day at the specified time. The time format is the 24 hour clock, so ‘23’ means 11PM for example. ZyWALL 1050 User’s Guide...
Page 178: Figure 122 Downloading System Protect Signatures
Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. Figure 122 Downloading System Protect Signatures Figure 123 Successful System Protect Signature Download ZyWALL 1050 User’s Guide...
Page 179: Network
Network Interface (181) Trunks (231) Policy and Static Routes (239) Routing Protocols (251) Zones (261) DDNS (265) Virtual Servers (271) HTTP Redirect (285) ALG (289) IP/MAC Binding (297)
Page 181: Interface
Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunks screens (Chapter 11 on page 231) to configure load balancing. ZyWALL 1050 User’s Guide...
Page 182: What You Need To Know About Interfaces
PPTP, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below. Table 48 Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interfaces Characteristics CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE/PPTP VIRTUAL CELLULAR Name* vlanx pppx cellularx IP Address Assignment ZyWALL 1050 User’s Guide...
Page 183: Table 49 Relationships Between Different Types Of Interfaces
VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface auxiliary interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface or virtual VLAN interface if the ZyWALL 1050 User’s Guide...
Page 184: Interface Summary Screen
This field displays the name of each interface. Click + or - in the heading cell to display or hide all virtual interfaces. Click a name’s + or - to display or hide the virtual interfaces on top of that interface. ZyWALL 1050 User’s Guide...
Page 185 DHCP request to a DHCP server. Click the Connect icon to try to connect the auxiliary interface or a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. ZyWALL 1050 User’s Guide...
Page 186: Port Grouping
• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security. • It can increase the bandwidth between the port group and other interfaces. In the example below, you might combine physical ports 3 and 4 into port group ge3. ZyWALL 1050 User’s Guide...
Page 187: Figure 125 Port Grouping Example: Network
There are no ports assigned to ge4. If you do not assign any physical ports to a representative interface, you cannot use this interface to create other interfaces or create IPSec VPN tunnels. The Ethernet interface is still displayed in the screen, however, and the existing configuration remains. ZyWALL 1050 User’s Guide...
Page 188: Port Grouping Screen
To add a physical port to a representative interface, drag the physical port onto the corresponding representative interface. Apply Click this button to save your changes and apply them to the ZyWALL. Reset Click this button to change the port groups to their current configuration (last- saved values). ZyWALL 1050 User’s Guide...
Page 189: Ethernet Summary Screen
To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 190: Ethernet Edit
OSPF settings, DHCP settings, and ping check settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 10.4 on page 189.) Figure 129 Network > Interface > Ethernet > Edit ZyWALL 1050 User’s Guide...
Page 191: Table 53 Network > Interface > Ethernet > Edit
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL 1050 User’s Guide...
Page 192 If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL 1050 User’s Guide...
Page 193 This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. ZyWALL 1050 User’s Guide...
Page 194 It will not change unless you change the setting or upload a different configuration file. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 195: The Static Dhcp Screen
This column lets you create and remove static DHCP entries. To add an entry, click the Add icon. To remove an entry, click it’s Remove icon. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 196: The Ppp Interfaces Screen
This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface Account Profile This field displays the ISP account used by this PPPoE/PPTP interface. ZyWALL 1050 User’s Guide...
Page 197 Dial-on-Demand PPPoE/PPTP interface. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 198: Ppp Interface Edit Screen
This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Edit icon in the PPP Interface screen. The PPP interface Edit > Configuration screen is shown here as an example. Figure 133 Network > Interface > PPP > Add > Configuration ZyWALL 1050 User’s Guide...
Page 199: Table 56 Network > Interface > Ppp > Edit > Configuration
Allowed values are 0 - 1048576. Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. ZyWALL 1050 User’s Guide...
Page 200 Click Policy Route to go to the screen where you can manually configure a Route policy route to associate traffic with this interface. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 201: Cellular Configuration Screen (3G)
High Data Rate (HDR). Multiple Access) as the air interface. 3.5G Packet- HSDPA (High-Speed Downlink Packet switched Access) is a mobile telephony protocol, used for UMTS-based 3G networks and allows for higher data Fast transfer speeds. ZyWALL 1050 User’s Guide...
Page 202: Figure 134 Network > Interface > Cellular
To connect or disconnect an interface, click the Connect icon next to it. You might use this icon to test the interface or to manually establish the connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 203: Cellular Add/Edit Screen
To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. Figure 135 Interface > Cellular > Add ZyWALL 1050 User’s Guide...
Page 204: Table 59 Interface > Cellular > Add
Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your ZyWALL accepts CHAP requests only. PAP - Your ZyWALL accepts PAP requests only. ZyWALL 1050 User’s Guide...
Page 205 Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. ZyWALL 1050 User’s Guide...
Page 206 3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 207: Cellular Status Screen
This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL 1050 User’s Guide...
Page 208 This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. More Info. This field displays other details about the 3G connection. ZyWALL 1050 User’s Guide...
Page 209: Vlan Interfaces
• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network. ZyWALL 1050 User’s Guide...
Page 210: Vlan Interfaces Overview
Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. ZyWALL 1050 User’s Guide...
Page 211: Vlan Summary Screen
To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 212: Vlan Add/Edit
VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. Figure 140 Network > Interface > VLAN > Edit ZyWALL 1050 User’s Guide...
Page 213: Table 62 Network > Interface > Vlan > Edit
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL 1050 User’s Guide...
Page 214 If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL 1050 User’s Guide...
Page 215 Click Policy Route to go to the screen where you can manually configure a Route policy route to associate traffic with this VLAN. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 216: Virtual Interfaces
Table 63 Network > Interface > Add LABEL DESCRIPTION Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface. ZyWALL 1050 User’s Guide...
Page 217: Bridge Interfaces
This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. 10.11.1 Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. ZyWALL 1050 User’s Guide...
Page 218: Bridge Interface Overview
Table 66 Example: Routing Table Before and After Bridge Interface br0 Is Created IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 210.210.210.0/24 221.221.221.0/24 vlan0 210.211.1.0/24 ge1:1 230.230.230.192/26 221.221.221.0/24 vlan0 241.241.241.241/32 222.222.222.0/24 vlan1 242.242.242.242/32 230.230.230.192/26 250.250.250.0/23 ZyWALL 1050 User’s Guide...
Page 219: Bridge Summary
To activate or deactivate an interface, click the Active icon next to it. Make sure you click Apply to save and apply the change. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 220: Bridge Add/Edit
To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. Figure 143 Network > Interface > Bridge > Edit ZyWALL 1050 User’s Guide...
Page 221: Table 68 Network > Interface > Bridge > Edit
Click WAN TRUNK to go to a screen where you can configure the interface as TRUNK part of a WAN trunk for load balancing. Configure Policy Click Policy Route to go to the screen where you can manually configure a Route policy route to associate traffic with this interface. ZyWALL 1050 User’s Guide...
Page 222 From ISP - select the DNS server that another interface received from its DHCP Server server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL 1050 User’s Guide...
Page 223 This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 224: Auxiliary Interface
When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command 10.12.2 Configuring the Auxiliary Interface Use the Auxiliary screen to configure the ZyWALL’s auxiliary interface. Click Network > Interface > Auxiliary to open it. Figure 144 Network > Interface > Auxiliary ZyWALL 1050 User’s Guide...
Page 225: Table 69 Network > Interface > Auxiliary
Set this field to zero to disable the idle timeout. Allowed values are 0 - 360. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 226: Interface Technical Reference
200.200.200.100 on ge2. In this case, the ZyWALL creates the following entry in the routing table. Table 71 Example: Routing Table Entry for a Gateway IP ADDRESS(ES) DESTINATION 0.0.0.0/0 200.200.200.100 ZyWALL 1050 User’s Guide...
Page 227 It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL 1050 User’s Guide...
Page 228: Table 72 Example: Assigning Ip Addresses From A Pool
Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. ZyWALL 1050 User’s Guide...
Page 229 1 The first one runs on TCP port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL 1050 User’s Guide...
Page 230 Chapter 10 Interface ZyWALL 1050 User’s Guide...
Page 231: Trunks
If one interface's connection goes down, the ZyWALL can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL 1050 User’s Guide...
Page 232: Figure 146 Link Sticking
ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using. In the load balancing section, a session may refer to normal connection-oriented, UDP and SNMP2 traffic. ZyWALL 1050 User’s Guide...
Page 233: Figure 147 Least Load First Example
2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to ge2 for every session's traffic assigned to ge3. Figure 148 Weighted Round Robin Algorithm Example ZyWALL 1050 User’s Guide...
Page 234: The Trunk Summary Screen
11.2 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 150 Network > Interface > Trunk ZyWALL 1050 User’s Guide...
Page 235: Configuring A Trunk
Click this button to return the screen to its last-saved settings. 11.3 Configuring a Trunk Click Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Figure 151 Network > Interface > Trunk > Add ZyWALL 1050 User’s Guide...
Page 236: Table 75 Network > Interface > Trunk > Add
To move an interface to a different number in the list, click the Move icon next to it. In the field that appears, specify the number to which you want to move the interface. ZyWALL 1050 User’s Guide...
Page 237: Trunk Technical Reference
The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL 1050 User’s Guide...
Page 238 Chapter 11 Trunks ZyWALL 1050 User’s Guide...
Page 239: Policy And Static Routes
You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. ZyWALL 1050 User’s Guide...
Page 240: What You Can Do In The Policy And Static Route Screens
Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 13 on page 251 for more on RIP and OSPF. ZyWALL 1050 User’s Guide...
Page 241: Policy Route Screen
IPPR follows the existing packet filtering facility of RAS in style and in implementation. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 153 Network > Routing > Policy Route ZyWALL 1050 User’s Guide...
Page 242: Table 76 Network > Routing > Policy Route
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 243: Policy Route Edit Screen
If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL 1050 User’s Guide...
Page 244 Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule. This is the rule index number. ZyWALL 1050 User’s Guide...
Page 245 Do not select this if you want to reserve bandwidth for traffic that does not match any of the policy routes. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 246: Ip Static Route Screen
Select a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 156 Network > Routing > Static Route > Add ZyWALL 1050 User’s Guide...
Page 247: Policy Routing Technical Reference
Port triggering allows the client computer to take turns using a service dynamically. Whenever a client computer’s packets match the routing policy, it can use the pre-defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer. ZyWALL 1050 User’s Guide...
Page 248: Figure 157 Trigger Port Forwarding Example
(bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the ZyWALL gives the extra bandwidth to that policy route. ZyWALL 1050 User’s Guide...
Page 249 (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL 1050 User’s Guide...
Page 250 Chapter 12 Policy and Static Routes ZyWALL 1050 User’s Guide...
Page 251: Routing Protocols
Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 13.4 on page 259 for background information on routing protocols. ZyWALL 1050 User’s Guide...
Page 252: The Rip Screen
The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. This field is available if the Authentication is MD5. Type the ID for MD5 Authentication authentication. The ID can be between 1 and 255. ZyWALL 1050 User’s Guide...
Page 253: The Ospf Screen
IP address. There are several types of areas. • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. ZyWALL 1050 User’s Guide...
Page 254: Figure 159 Ospf: Types Of Areas
Each type is really just a different role, and it is possible for one router to play multiple roles at one time. • An internal router (IR) only exchanges routing information with other routers in the same area. ZyWALL 1050 User’s Guide...
Page 255: Figure 160 Ospf: Types Of Routers
In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. ZyWALL 1050 User’s Guide...
Page 256: Configuring The Ospf Screen
In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. Click Network > Routing > OSPF to open the following screen. Figure 162 Network > Routing > OSPF ZyWALL 1050 User’s Guide...
Page 257: Table 83 Network > Routing Protocol > Ospf
To delete an area, click on the Remove icon next to the area. The Web Configurator confirms that you want to delete the area before doing so. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL 1050 User’s Guide...
Page 258: Ospf Area Add/Edit Screen
(that does not have a direct connection to the backbone) to the backbone. You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone. ZyWALL 1050 User’s Guide...
Page 259: Routing Protocol Technical Reference
MD5 is an authentication method that produces a 128-bit checksum, called a message-digest, for each packet. It also includes an authentication ID, which can be set to any value between 1 and 255. The ZyWALL only accepts packets if these conditions are satisfied. ZyWALL 1050 User’s Guide...
Page 260 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL 1050 User’s Guide...
Page 261: Zones
Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 164 Example: Zones 14.1.1 What You Can Do in the Zones Screens Use the Zone screens (see Section 14.2 on page 263) to view, add, and edit the ZyWALL’s zones. ZyWALL 1050 User’s Guide...
Page 262: What You Need To Know About Zones
• Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information. Finding Out More Section 5.4.7 on page 113 for related information on these screens. ZyWALL 1050 User’s Guide...
Page 263: The Zone Screen
The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 263), and click either the Add icon or an Edit icon. Figure 166 Network > Zone > Edit ZyWALL 1050 User’s Guide...
Page 264: Table 86 Network > Zone > Edit
Select any interfaces that you want to add to the zone you are editing, and click the right arrow button to add them. Member lists the interfaces that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. ZyWALL 1050 User’s Guide...
Page 265: Ddns
DDNS SERVICE PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL 1050 User’s Guide...
Page 266: The Ddns Screen
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. ZyWALL 1050 User’s Guide...
Page 267: The Dynamic Dns Add/Edit Screen
The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Network > DDNS and then an Add or Edit icon to open this screen. Figure 168 Network > DDNS > Add ZyWALL 1050 User’s Guide...
Page 268: Table 89 Network > Ddns > Add
Interface Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL 1050 User’s Guide...
Page 269 Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 270: The Ddns Status Screen
Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name. Refresh Click this to update the information displayed in the screen. ZyWALL 1050 User’s Guide...
Page 271: Virtual Servers
16.1.2 What You Need to Know About Virtual Servers Virtual server is also known as port forwarding or port translation. The virtual server changes the destination address of packets. This is also known as Destination NAT (DNAT). ZyWALL 1050 User’s Guide...
Page 272: The Virtual Server Screen
This field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this virtual server. It displays any if there is no restriction on the services. ZyWALL 1050 User’s Guide...
Page 273: The Virtual Server Add/Edit Screen
Type in the name of the virtual server. The name is used to refer to the virtual server. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL 1050 User’s Guide...
Page 274 Mapped Start This field is available if Mapping Type is Ports. Enter the beginning of the range of Port translated destination ports if this virtual server forwards the packet. ZyWALL 1050 User’s Guide...
Page 275 Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to return to the Virtual Server summary screen without creating the virtual server (if it is new) or saving any changes (if it already exists). ZyWALL 1050 User’s Guide...
Page 276: Nat 1:1 And Nat Loopback Examples
1:1 NAT mapping from the public IP address to the server’s private one. The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. Figure 173 NAT 1:1 Example Network Topology ge2: 1.1.1.1 192.168.1.21 ZyWALL 1050 User’s Guide...
Page 277: Figure 174 Create Address Objects
SMTP server also uses port 25, so the Mapped Port is set to 25. The following sections describe how to manually configure corresponding policy routes for NAT 1:1 mapping and loopback so the options to have the ZyWALL automatically create them are not selected here. ZyWALL 1050 User’s Guide...
Page 278: Figure 176 Create A Virtual Server
ZyWALL’s ge1 interface. It changes the source address from 192.168.1.21 to 1.1.1.1. This is also called Source NAT (SNAT). It sends the traffic out through the ge3 interface. Figure 177 NAT 1:1 Example Policy Route Source 1.1.1.1 Source 192.168.1.1 SMTP SMTP 192.168.1.21 ZyWALL 1050 User’s Guide...
Page 279: Figure 178 Create A Policy Route
Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone. Be careful of where you create the rule as firewall rules are ordered in descending priority. Figure 179 Create a Firewall Rule ZyWALL 1050 User’s Guide...
Page 280: Figure 180 Lan Computer Queries The Dns Server
192.168.1.89 A LAN user computer at IP address 192.168.1.89 queries the domain name (xxx.LAN- SMTP.com in this example) from a public DNS server and gets the SMTP server’s 1-1 NAT mapped public IP address of 1.1.1.1. ZyWALL 1050 User’s Guide...
Page 281: Figure 181 Nat Loopback Virtual Server
IP address 1.1.1.1 and coming in on WAN2 to the SMTP server (IP address 192.168.1.21). In this example the SMTP server also uses port 25, so the Mapped Port is set to 25. Figure 182 Create a Virtual Server ZyWALL 1050 User’s Guide...
Page 282: Figure 183 Triangle Route
LAN SMTP server replies to the ZyWALL and the ZyWALL applies NAT. Figure 184 NAT Loopback Policy Route Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP 192.168.1.21 192.168.1.89 Even if the packets go through the ZyWALL, they only undergo layer 2 switching, not NAT. ZyWALL 1050 User’s Guide...
Page 283: Figure 185 Create A Policy Route
1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server. Figure 186 NAT Loopback Successful Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL 1050 User’s Guide...
Page 284 Chapter 16 Virtual Servers ZyWALL 1050 User’s Guide...
Page 285: Http Redirect
A then forwards the response to the client. Figure 187 HTTP Redirect Example 17.1.1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect screens (see Section 17.2 on page 287) to display and edit the HTTP redirect rules. ZyWALL 1050 User’s Guide...
Page 286: What You Need To Know About Http Redirect
• a application patrol rule to allow HTTP traffic between ge4 and ge2. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More Section 5.4.20 on page 117 for related information on these screens. ZyWALL 1050 User’s Guide...
Page 287: The Http Redirect Screen
Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 288: The Http Redirect Edit Screen
Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 289: Alg
The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server. Figure 190 SIP ALG Example The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. ZyWALL 1050 User’s Guide...
Page 290: What You Can Do In The Alg Screen
• The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. You can also make other SIP calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet. ZyWALL 1050 User’s Guide...
Page 291: Figure 192 Voip Calls From The Wan With Multiple Outgoing Calls
2. Even though only LAN IP address A can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 192 VoIP Calls from the WAN with Multiple Outgoing Calls ZyWALL 1050 User’s Guide...
Page 292: Before You Begin
ALG for peer-to-peer H.323 traffic. • See Section 18.3 on page 294 for ALG background/technical information. 18.1.3 Before You Begin Configure and enable NAT in the ZyWALL before you use the ALG. ZyWALL 1050 User’s Guide...
Page 293: The Alg Screen
If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout, the ZyWALL deletes the signaling session after the timeout period. Enter the SIP signaling session timeout value (1~86400). ZyWALL 1050 User’s Guide...
Page 294: Alg Technical Reference
ZyWALL translates the device’s private IP address inside the data stream to a public IP address. It also records session port numbers and allows the related sessions to go through the firewall so the application’s traffic can come in from the WAN to the LAN. ZyWALL 1050 User’s Guide...
Page 295 When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL 1050 User’s Guide...
Page 296 Chapter 18 ALG ZyWALL 1050 User’s Guide...
Page 297: Ip/Mac Binding
300) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. • The Monitor screen (Section 19.4 on page 301) lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled. ZyWALL 1050 User’s Guide...
Page 298: What You Need To Know About Ip/Mac Binding
Apply to save and apply the change. Click the Edit icon to go to the screen where you can edit an interface’s IP/MAC binding settings. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL 1050 User’s Guide...
Page 299: Ip/Mac Binding Edit
Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 300: Static Dhcp Edit
Click Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. Figure 199 Network > IP/MAC Binding > Exempt List ZyWALL 1050 User’s Guide...
Page 301: Ip/Mac Binding Monitor
This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the ZyWALL through this interface. Refresh Click this button to update the information in the screen. ZyWALL 1050 User’s Guide...
Page 302 Chapter 19 IP/MAC Binding ZyWALL 1050 User’s Guide...
Page 303: Firewall
Firewall Firewall (305)
Page 305: Firewall
312) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 20.3 on page 316) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL 1050 User’s Guide...
Page 306: What You Need To Know About The Firewall
The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone. The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface. ZyWALL 1050 User’s Guide...
Page 307 (Section 6.3 on page 134). • See Section 6.5.3 on page 145 for an example of creating a firewall rule to allow H.323 traffic from the WAN to the LAN. ZyWALL 1050 User’s Guide...
Page 308: Firewall Rule Example Applications
IP address, make sure it either: • Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 227 for information on DHCP). ZyWALL 1050 User’s Guide...
Page 309: Figure 203 Limited Lan To Wan Irc Traffic Example
• The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. ZyWALL 1050 User’s Guide...
Page 310: Firewall Rule Configuration Example
2 Select Create Object in the Destination drop-down list box. 3 The screen for configuring an address object opens. Configure it as follows and click Figure 205 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. ZyWALL 1050 User’s Guide...
Page 311: Figure 206 Firewall Example: Create A Service Object
Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 207 Firewall Example: Edit a Firewall Rule 8 The firewall rule appears in the firewall rule summary. Figure 208 Firewall Example: MyService Example Rule in Summary ZyWALL 1050 User’s Guide...
Page 312: The Firewall Screen
• Besides configuring the firewall, you also need to configure virtual servers (NAT port forwarding) to allow computers on the WAN to access LAN devices. See Chapter 16 on page 271 for more information. ZyWALL 1050 User’s Guide...
Page 313: Figure 210 Firewall
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. ZyWALL 1050 User’s Guide...
Page 314 TCP reset packet to the sender (reject) or permits the passage of packets (allow). This field shows you whether a log (and alert) is created when packets match this rule or not. ZyWALL 1050 User’s Guide...
Page 315: The Firewall Edit Screen
VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. ZyWALL 1050 User’s Guide...
Page 316: The Session Limit Screen
NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. ZyWALL 1050 User’s Guide...
Page 317: Figure 212 Firewall > Session Limit
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 318: The Session Limit Edit Screen
For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 319: Vpn
IPSec VPN (321) SSL VPN (355) SSL User Screens (365) SSL User Application Screens (371) SSL User File Sharing (373) L2TP VPN (379) L2TP VPN Example (383)
Page 321: Ipsec Vpn
327) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. ZyWALL 1050 User’s Guide...
Page 322: What You Need To Know About Ipsec Vpn
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL 1050 User’s Guide...
Page 323: Table 109 Ipsec Vpn Application Scenarios
VPN tunnel. initiate the VPN tunnel. Finding Out More • See Section 5.4.4 on page 112 for related information on these screens. • See Section 21.6 on page 344 for IPSec VPN background information. ZyWALL 1050 User’s Guide...
Page 324: Before You Begin
Route to control dynamic IPSec rules. The VPN wizard automatically creates a corresponding policy route. If you create the VPN connection in the VPN > IPSec VPN screens, you need to manually create a corresponding policy route. ZyWALL 1050 User’s Guide...
Page 325: Figure 216 Vpn > Ipsec Vpn > Vpn Connection
Encapsulation This field displays what encapsulation the IPSec SA uses. Algorithm This field displays what encryption and authentication methods, respectively, the IPSec SA uses. Policy This field displays the local policy and the remote policy, respectively. ZyWALL 1050 User’s Guide...
Page 326 To connect or disconnect an IPSec SA, click the Connect icon next to the VPN connection. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 327: The Vpn Connection Add/Edit (Ike) Screen
324), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. Figure 217 VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL 1050 User’s Guide...
Page 328: Table 111 Vpn > Ipsec Vpn > Vpn Connection > Edit
Selecting this restricts who can use the VPN tunnel. The ZyWALL drops traffic with source and destination IP addresses that do not match the local and remote policy. Phase 2 Settings Click Advanced to display more settings. Click Basic to display fewer settings. ZyWALL 1050 User’s Guide...
Page 329 PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL 1050 User’s Guide...
Page 330 Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). Inbound Traffic ZyWALL 1050 User’s Guide...
Page 331 To remove a NAT record, click the Remove icon next to the record. The ZyWALL confirms that you want to delete the NAT record before doing so. Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL 1050 User’s Guide...
Page 332: The Vpn Connection Add/Edit Manual Key Screen
Edit icon. In the VPN Gateway section of the screen, select Manual Key. Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA. Figure 218 VPN > IPSec VPN > VPN Connection > Manual Key > Edit ZyWALL 1050 User’s Guide...
Page 333: Table 112 Vpn > Ipsec Vpn > Vpn Connection > Manual Key > Edit
Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL 1050 User’s Guide...
Page 334 MD5 authentication key, the ZyWALL only uses 1234567890123456 . The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL 1050 User’s Guide...
Page 335: The Vpn Gateway Screen
To activate or deactivate a VPN gateway, click the Active icon next to the gateway. Make sure you click Apply to save and apply the change. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 336: The Vpn Gateway Add/Edit Screen
VPN Gateway Type the name used to identify this VPN gateway. You may use 1-31 Name alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL 1050 User’s Guide...
Page 337 Select which type of identification is used to identify the ZyWALL during authentication. Choices are: IP - the ZyWALL is identified by an IP address DNS - the ZyWALL is identified by a domain name E-mail - the ZyWALL is identified by an e-mail address ZyWALL 1050 User’s Guide...
Page 338 IPSec routers with dynamic WAN IP addresses. In these situations, use a different IP address, or use a different Peer ID Type. Phase 1 Settings Click Advanced to display more settings. Click Basic to display fewer settings. ZyWALL 1050 User’s Guide...
Page 339 ZyWALL transmits the data. If the remote IPSec router does not respond, the ZyWALL shuts down the IKE SA. If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check (see Section 21.2.1 on page 327). ZyWALL 1050 User’s Guide...
Page 340: The Vpn Concentrator Screen
Cancel Click Cancel to exit this screen without saving. 21.4 The VPN Concentrator Screen A VPN concentrator combines several IPSec VPN connections into one secure network. Figure 221 VPN Topologies (Fully Meshed and Hub and Spoke) ZyWALL 1050 User’s Guide...
Page 341: Figure 222 Vpn > Ipsec Vpn > Concentrator
To edit a VPN concentrator, click the Edit icon next to the concentrator. The VPN Concentrator Add/Edit screen appears accordingly. To delete a VPN concentrator, click on the Remove icon next to the concentrator. The Web Configurator confirms that you want to delete the VPN concentrator. ZyWALL 1050 User’s Guide...
Page 342: The Vpn Concentrator Add/Edit Screen
The VPN concentrator’s member VPN connections appear on the right. Select any VPN connections that you want to remove from the VPN concentrator, and click the left arrow button to remove them. Figure 224 Network > IPSec VPN > Concentrator > Edit > Member ZyWALL 1050 User’s Guide...
Page 343: The Sa Monitor Screen
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. ZyWALL 1050 User’s Guide...
Page 344: Ipsec Vpn Background Information
Both routers must use the same negotiation mode. These modes are discussed in more detail in Negotiation Mode on page 348. Main mode is used in various examples in the rest of this section. ZyWALL 1050 User’s Guide...
Page 345: Figure 226 Ike Sa: Main Negotiation Mode, Steps 1 - 2: Ike Sa Proposal
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data. • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES. ZyWALL 1050 User’s Guide...
Page 346: Figure 227 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. ZyWALL 1050 User’s Guide...
Page 347: Figure 228 Ike Sa: Main Negotiation Mode, Steps 5 - 6: Authentication
ID type and content that applies to the other router. The ZyWALL’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively. ZyWALL 1050 User’s Guide...
Page 348: Table 118 Vpn Example: Matching Id Type And Content
For example, the remote IPSec router may be a telecommuter who does not have a static IP address. ZyWALL 1050 User’s Guide...
Page 349: Figure 229 Vpn/Nat Example
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). ZyWALL 1050 User’s Guide...
Page 350 IPSec SA through which to send data between computers on the networks. The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This section introduces the key components of an IPSec SA. ZyWALL 1050 User’s Guide...
Page 351: Figure 230 Vpn: Transport And Tunnel Mode Encapsulation
Header Header Tunnel Mode Packet IP Header AH/ESP IP Header Data Header Header In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: ZyWALL 1050 User’s Guide...
Page 352 In an IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use. ZyWALL 1050 User’s Guide...
Page 353: Figure 231 Vpn Example: Nat For Inbound And Outbound Traffic
(for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. Figure 231 VPN Example: NAT for Inbound and Outbound Traffic ZyWALL 1050 User’s Guide...
Page 354 (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL 1050 User’s Guide...
Page 355: Ssl Vpn
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. ZyWALL 1050 User’s Guide...
Page 356: Figure 232 Network Access Mode: Reverse Proxy
• limit user access to specific applications or files on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. ZyWALL 1050 User’s Guide...
Page 357 Section 22.5 on page 364 for how to establish an SSL VPN connection to the ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). • See Chapter 44 on page 629 for details on SSL application objects. ZyWALL 1050 User’s Guide...
Page 358: The Ssl Access Privilege Screen
To delete a policy, click the Remove icon next to the policy. To rearrange a policy in the list, click the Move to N icon next to the policy. Apply Click Apply to save the settings. Reset Click Reset to discard all changes. ZyWALL 1050 User’s Guide...
Page 359: The Ssl Access Policy Add/Edit Screen
Enter a descriptive name to identify this policy. You can enter up to 15 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Description Enter additional information about this SSL access policy. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). ZyWALL 1050 User’s Guide...
Page 360 Chapter 37 on page 575 Address Object more information. Click OK to save the changes and return to the main Access Privilege screen. Cancel Click Cancel to discard all changes and return to the main Access Privilege screen. ZyWALL 1050 User’s Guide...
Page 361: The Ssl Connection Monitor Screen
This field displays the number of bytes transmitted by the ZyWALL on this connection. Action Click the icon to terminate the connection of the user and delete corresponding session information from the ZyWALL. Refresh Click Refresh to update this screen. ZyWALL 1050 User’s Guide...
Page 362: The Ssl Global Setting Screen
The file size must be 100 kilobytes or less. Transparent background is recommended. Browse Click Browse to locate the graphic file on your computer. Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. ZyWALL 1050 User’s Guide...
Page 363: How To Upload A Custom Logo
3 Click Apply to start the file transfer process. 4 Log in as a user to verify that the new logo displays properly. The following shows an example logo on the remote user screen. Figure 238 Example Logo Graphic Display ZyWALL 1050 User’s Guide...
Page 364: Establishing An Ssl Vpn Connection
If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 23 on page 365. ZyWALL 1050 User’s Guide...
Page 365: Ssl User Screens
Here are the browser and computer system requirements for remote user access. • Windows 2000 and Windows XP • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above ZyWALL 1050 User’s Guide...
Page 366: Remote User Login
Example screens for Internet Explorer are shown. 1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 241 Enter the Address in a Web Browser ZyWALL 1050 User’s Guide...
Page 367: Figure 242 Login Security Screen
This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue. Figure 244 Java Needed Message ZyWALL 1050 User’s Guide...
Page 368: The Ssl Vpn User Screens
Available resource links vary depending on the configuration your network administrator made. 23.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 246 Remote User Screen ZyWALL 1050 User’s Guide...
Page 369: Bookmarking The Zywall
To properly terminate a connection, click on the Logout icon in any remote user screen. 1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 248 Logout: Prompt ZyWALL 1050 User’s Guide...
Page 370: Figure 249 Logout: Connection Termination Progress
Chapter 23 SSL User Screens 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 249 Logout: Connection Termination Progress ZyWALL 1050 User’s Guide...
Page 371: Ssl User Application Screens
The Type field displays wether the application is a web site (Web Server) or web-based e-mail using Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 250 Application ZyWALL 1050 User’s Guide...
Page 372 Chapter 24 SSL User Application Screens ZyWALL 1050 User’s Guide...
Page 373: Ssl User File Sharing
• Rename a file or folder. • Delete a file or folder. • Upload a file. Available actions you can perform in the File Sharing screen vary depending on the rights granted to you on the file server. ZyWALL 1050 User’s Guide...
Page 374: The Main File Sharing Screen
3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 252 File Sharing: Enter Access User Name and Password ZyWALL 1050 User’s Guide...
Page 375: Downloading A File
You are prompted to download a file which cannot be opened using a web browser. Follow the on-screen instructions to download and save the file to your computer. Then launch the associated application to open the file. ZyWALL 1050 User’s Guide...
Page 376: Saving A File
Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 255 File Sharing: Save a Word File ZyWALL 1050 User’s Guide...
Page 377: Renaming A File Or Folder
Click the Delete icon next to a file or folder to remove it. There is no confirmation screen - the file or folder is just deleted - so be sure you really do not want the item before you click. ZyWALL 1050 User’s Guide...
Page 378: Uploading A File
4 After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 258 File Sharing: File Upload Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL 1050 User’s Guide...
Page 379: L2Tp Vpn
You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 21 on page for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. ZyWALL 1050 User’s Guide...
Page 380: Figure 260 Policy Route For L2Tp Vpn
LAN_SUBNET Finding Out More • See Section 5.4.6 on page 112 for related information on these screens. • See Chapter 27 on page 383 for an example of how to create a basic L2TP VPN tunnel. ZyWALL 1050 User’s Guide...
Page 381: L2Tp Vpn Screen
Select a user or user group that can use the L2TP VPN tunnel. Select Create Object to configure a new user account (see Section 36.2.1 on page 564 details). Otherwise, select any to allow any user with a valid account and password on the ZyWALL to log in. ZyWALL 1050 User’s Guide...
Page 382: L2Tp Vpn Session Monitor Screen
This field displays the public IP address that the remote user is using to connect to the Internet. Action Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL 1050 User’s Guide...
Page 383: L2Tp Vpn Example
• You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel. • The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192.168.1.x subnet. ZyWALL 1050 User’s Guide...
Page 384: Configuring The Default L2Tp Vpn Gateway Example
• Select Pre-Shared Key and configure a password. This example uses top-secret. Click OK. 2 Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry. Figure 265 VPN > IPSec VPN > VPN Gateway (Enable) ZyWALL 1050 User’s Guide...
Page 385: Configuring The Default L2Tp Vpn Connection Example
3 Click the Default_L2TP_VPN_Connection entry’s Enable icon and click Apply to turn on the entry. Figure 267 VPN > IPSec VPN > VPN Connection (Enable) 27.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. ZyWALL 1050 User’s Guide...
Page 386: Figure 268 Vpn > L2Tp Vpn Example
• Select a user or group of users that can use the tunnel. Here a user account named L2TP-test has been created. • The other fields are left to the defaults in this example, click Apply. ZyWALL 1050 User’s Guide...
Page 387: Configuring The Policy Route For L2Tp Example
Microsoft IPSec service. Make sure you include the quotes. • For Windows XP. use net start "ipsec services". • For Windows 2000, use net start "ipsec policy agent". ZyWALL 1050 User’s Guide...
Page 388: Configuring L2Tp In Windows Xp
3 Select Connect to the network at my workplace and click Next. Figure 270 New Connection Wizard: Network Connection Type 4 Select Virtual Private Network connection and click Next. Figure 271 New Connection Wizard: Network Connection ZyWALL 1050 User’s Guide...
Page 389: Figure 272 New Connection Wizard: Connection Name
Chapter 27 L2TP VPN Example 5 Type L2TP to ZyWALL as the Company Name. Figure 272 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next. Figure 273 New Connection Wizard: Public Network ZyWALL 1050 User’s Guide...
Page 390: Figure 274 New Connection Wizard: Vpn Server Selection
ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 274 New Connection Wizard: VPN Server Selection 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 275 Connect L2TP to ZyWALL ZyWALL 1050 User’s Guide...
Page 391: Figure 276 Connect L2Tp To Zywall: Security
11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 277 Connect ZyWALL L2TP: Security > Advanced ZyWALL 1050 User’s Guide...
Page 392: Figure 278 L2Tp To Zywall Properties > Security
13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. Figure 279 L2TP to ZyWALL Properties > Security > IPSec Settings ZyWALL 1050 User’s Guide...
Page 393: Figure 280 L2Tp To Zywall Properties: Networking
Figure 281 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 282 ZyWALL-L2TP System Tray Icon ZyWALL 1050 User’s Guide...
Page 394: Configuring L2Tp In Windows 2000
1 Click Start > Run. Type regedit and click OK. Figure 284 Starting the Registry Editor 2 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. ZyWALL 1050 User’s Guide...
Page 395: Figure 285 Registry Key
4 Right-click Parameters and select New > DWORD Value. Figure 286 New DWORD Value 5 Enter ProhibitIpSec as the name. And make sure the Data displays as 0’s. Figure 287 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section. ZyWALL 1050 User’s Guide...
Page 396: Figure 288 Run Mmc
After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use. 1 Click Start > Run. Type mmc and click OK. Figure 288 Run mmc 2 Click Console > Add/Remove Snap-in. Figure 289 Console > Add/Remove Snap-in ZyWALL 1050 User’s Guide...
Page 397: Figure 290 Add > Ip Security Policy Management > Finish
Figure 290 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 291 Create IP Security Policy ZyWALL 1050 User’s Guide...
Page 398: Figure 292 Ip Security Policy: Name
5 Name the IP security policy L2TP to ZyWALL, and click Next. Figure 292 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next. Figure 293 IP Security Policy: Request for Secure Communication ZyWALL 1050 User’s Guide...
Page 399: Figure 294 Ip Security Policy: Completing The Ip Security Policy Wizard
7 Leave the Edit Properties check box selected and click Finish. Figure 294 IP Security Policy: Completing the IP Security Policy Wizard 8 In the properties dialog box, click Add > Next. Figure 295 IP Security Policy Properties > Add ZyWALL 1050 User’s Guide...
Page 400: Figure 296 Ip Security Policy Properties: Tunnel Endpoint
9 Select This rule does not specify a tunnel and click Next. Figure 296 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next. Figure 297 IP Security Policy Properties: Network Type ZyWALL 1050 User’s Guide...
Page 401: Figure 298 Ip Security Policy Properties: Authentication Method
11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 298 IP Security Policy Properties: Authentication Method 12 Click Add. Figure 299 IP Security Policy Properties: IP Filter List ZyWALL 1050 User’s Guide...
Page 402: Figure 300 Ip Security Policy Properties: Ip Filter List > Add
ZyWALL’s WAN IP address (172.16.1.2 in this example) in the IP Address field. Make certain the Mirrored. Also match packets with the exact opposite source and destination addresses check box is selected and click Apply. Figure 301 Filter Properties: Addressing . 16 ZyWALL 1050 User’s Guide...
Page 403: Figure 302 Filter Properties: Protocol
UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 302 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next. Figure 303 IP Security Policy Properties: IP Filter List ZyWALL 1050 User’s Guide...
Page 404: Figure 304 Ip Security Policy Properties: Ip Filter List
After you have configured the IPSec policy, use these directions to create a network connection. 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next. Figure 306 Start New Connection Wizard ZyWALL 1050 User’s Guide...
Page 405: Figure 307 New Connection Wizard: Network Connection Type
3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click Next. Figure 308 New Connection Wizard: Destination Address 172.16.1.2 ZyWALL 1050 User’s Guide...
Page 406: Figure 309 New Connection Wizard: Connection Availability
4 Select For all users and click Next. Figure 309 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 310 New Connection Wizard: Naming the Connection 6 Click Properties. Figure 311 Connect L2TP to ZyWALL ZyWALL 1050 User’s Guide...
Page 407: Figure 312 Connect L2Tp To Zywall: Security
8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Click Yes if a screen pops up. Figure 313 Connect L2TP to ZyWALL: Security > Advanced ZyWALL 1050 User’s Guide...
Page 408: Figure 314 Connect L2Tp To Zywall: Networking
Figure 315 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 316 ZyWALL-L2TP System Tray Icon ZyWALL 1050 User’s Guide...
Page 409: Figure 317 L2Tp To Zywall Status: Details
12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). Figure 317 L2TP to ZyWALL Status: Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works. ZyWALL 1050 User’s Guide...
Page 410 Chapter 27 L2TP VPN Example ZyWALL 1050 User’s Guide...
Page 411: Application Patrol
Application Patrol Application Patrol (413)
Page 413: Application Patrol
It also lets you open the Other Configuration Add/Edit screen to create new conditions or edit existing ones. • Use the Statistics screen (see Section 28.5 on page 432) to see a bandwidth usage graph and statistics for each protocol. ZyWALL 1050 User’s Guide...
Page 414: What You Need To Know About Application Patrol
289) to use the same port numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. ZyWALL 1050 User’s Guide...
Page 415: Figure 318 Lan To Wan Connection And Packet Directions
• Inbound traffic comes back from the WAN zone device to the LAN zone device. Bandwidth management is applied before sending the traffic out a LAN zone interface. Figure 318 LAN to WAN Connection and Packet Directions Connection Outbound Inbound ZyWALL 1050 User’s Guide...
Page 416: Figure 319 Lan To Wan, Outbound 200 Kbps, Inbound 500 Kbps
Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the unused bandwidth. ZyWALL 1050 User’s Guide...
Page 417: Figure 320 Bandwidth Management Behavior
300 kbps and server B gets its configured rate of 200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets. ZyWALL 1050 User’s Guide...
Page 418: Application Patrol Bandwidth Management Examples
• FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. ZyWALL 1050 User’s Guide...
Page 419: Figure 321 Application Patrol Bandwidth Management Example
ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. ZyWALL 1050 User’s Guide...
Page 420: Figure 322 Sip Any To Wan Bandwidth Management Example
HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 323 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 500 kbps ZyWALL 1050 User’s Guide...
Page 421: Figure 324 Ftp Wan To Dmz Bandwidth Management Example
50 Mbps. • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 325 FTP LAN to DMZ Bandwidth Management Example Inbound: 50 Mbps Outbound: 50 Mbps ZyWALL 1050 User’s Guide...
Page 422: Application Patrol General Screen
This same setting also appears in the Network > Routing > Policy Route screen. Enabling or disabling it in one screen also enables or disables it in the other screen. ZyWALL 1050 User’s Guide...
Page 423: Application Patrol Applications
Use the Common screen (shown here as an example) to manage traffic of the most commonly used web, file transfer and e-mail protocols. Click AppPatrol > Common to open the following screen. Figure 327 AppPatrol > Common ZyWALL 1050 User’s Guide...
Page 424: The Application Patrol Edit Screen
Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 328 Application Edit The following table describes the labels in this screen. Table 134 Application Edit LABEL DESCRIPTION Service Enable Select this check box to turn on patrol for this application. Service ZyWALL 1050 User’s Guide...
Page 425 Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision. Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision. ZyWALL 1050 User’s Guide...
Page 426 The ordering of the entries is important as they are applied in order of their numbering. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 427: The Application Patrol Policy Edit Screen
Create Object to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination. ZyWALL 1050 User’s Guide...
Page 428 The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL 1050 User’s Guide...
Page 429: The Other Applications Screen
While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more common conditions at the top of the list. Port This field displays the specific port number to which this policy applies. ZyWALL 1050 User’s Guide...
Page 430 The ordering of the entries is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 431: The Other Applications Add/Edit Screen
Create Object to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination. ZyWALL 1050 User’s Guide...
Page 432: Application Patrol Statistics
Cancel Click Cancel to exit this screen without saving your changes. 28.5 Application Patrol Statistics This screen displays a bandwidth usage graph and statistics for selected protocols. Click AppPatrol > Statistics to open the following screen. ZyWALL 1050 User’s Guide...
Page 433: Application Patrol Statistics: General Setup
The middle of the AppPatrol > Statistics screen displays a bandwidth usage line graph for the selected protocols. Figure 333 AppPatrol > Statistics: Bandwidth Statistics • The y-axis represents the amount of bandwidth used. • The x-axis shows the time period over which the bandwidth usage occurred. ZyWALL 1050 User’s Guide...
Page 434: Application Patrol Statistics: Protocol Statistics
(in kilobytes). This traffic was rejected because it matched an application policy set to “reject”. Matched Auto This is how much of the application’s traffic the ZyWALL identified by examining the Connection IP payload. ZyWALL 1050 User’s Guide...
Page 435 This is how much of the application’s traffic the ZyWALL has discarded and notified Data (KB) the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched a policy set to “reject”. ZyWALL 1050 User’s Guide...
Page 436 Chapter 28 Application Patrol ZyWALL 1050 User’s Guide...
Page 437: Anti-X
Anti-X Anti-Virus (439) IDP (453) ADP (481) Content Filtering (497) Content Filter Reports (519) Anti-Spam (527)
Page 439: Anti-Virus
(Section 29.3 on page 446) to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 449) to search signatures to get more information about signatures. ZyWALL 1050 User’s Guide...
Page 440: What You Need To Know About Anti-Virus
The un-infected portion of the file before a virus pattern was matched still goes through. 5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s intended destination computer(s). ZyWALL 1050 User’s Guide...
Page 441: Before You Begin
• Before using anti-virus, see Chapter 8 on page 167 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. ZyWALL 1050 User’s Guide...
Page 442: Anti-Virus Summary Screen
From The anti-virus policy has the ZyWALL scan traffic coming from this zone and going to the To zone. The anti-virus policy has the ZyWALL scan traffic going to this zone from the From zone. ZyWALL 1050 User’s Guide...
Page 443 Update Click this link to go to the screen you can use to download signatures from the Signatures update server. Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. ZyWALL 1050 User’s Guide...
Page 444: Anti-Virus Policy Add Or Edit Screen
When you select this check box, if a virus pattern is matched, the ZyWALL file overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected portion of the file before a virus pattern was matched goes through unmodified. ZyWALL 1050 User’s Guide...
Page 445 You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear this option while you download the firmware package. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 446: Anti-Virus Black List
To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. ZyWALL 1050 User’s Guide...
Page 447: Anti-Virus Black List Or White List Add/Edit
If you do not use a wildcard, the ZyWALL checks up to the first 80 characters of a file name. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 448: Anti-Virus White List
To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. ZyWALL 1050 User’s Guide...
Page 449: Signature Searching
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. ZyWALL 1050 User’s Guide...
Page 450: Anti-Virus Technical Reference
2 The virus spreads to other files and programs on the computer. 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. ZyWALL 1050 User’s Guide...
Page 451 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL 1050 User’s Guide...
Page 452 Chapter 29 Anti-Virus ZyWALL 1050 User’s Guide...
Page 453: Idp
You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. ZyWALL 1050 User’s Guide...
Page 454: Before You Begin
When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. • Configure zones on the ZyWALL - see Chapter 14 on page 261 for more information. ZyWALL 1050 User’s Guide...
Page 455: The Idp General Screen
If you don’t have a standard license, you can register for a once-off trial one. Policies Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction. Priority IDP policies are applied in order of priority. ZyWALL 1050 User’s Guide...
Page 456 Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones. Released Date This field displays the date and time the set was released. ZyWALL 1050 User’s Guide...
Page 457: Configuring Idp Policies
IDP service in order to be able to download new signatures. In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see Chapter 31 on page 481 for information on anomaly detection). ZyWALL 1050 User’s Guide...
Page 458: Base Profiles
Signatures with a very low or low severity level (less than or equal to two) are disabled. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 459: The Profile Summary Screen
When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘inline profile’ whereby you configure appropriate actions to be taken when a packet matches a signature. ZyWALL 1050 User’s Guide...
Page 460: Procedure To Create A New Profile
Select Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer- 4 to layer-7. ZyWALL 1050 User’s Guide...
Page 461: Profile > Group View Screen
Chapter 30 IDP 30.6.1 Profile > Group View Screen Figure 346 Anti-X > IDP > Profile > Edit : Group View ZyWALL 1050 User’s Guide...
Page 462: Table 151 Anti-X > Idp > Profile > Group View
ZyWALL create a log when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL 1050 User’s Guide...
Page 463: Policy Types
After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services. ZyWALL 1050 User’s Guide...
Page 464: Idp Service Groups
An IDP service group is a set of related packet inspection signatures. Table 153 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET SNMP SMTP RSERVICES POP3 POP2 ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC ZyWALL 1050 User’s Guide...
Page 465: Figure 347 Anti-X > Idp > Profile > Edit > Idp Service Group
Logs and actions applied to a service group apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings. Figure 347 Anti-X > IDP > Profile > Edit > IDP Service Group ZyWALL 1050 User’s Guide...
Page 466: Profile > Query View Screen
Hold down the [Ctrl] key if you want to make multiple selections. Platform Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections. ZyWALL 1050 User’s Guide...
Page 467: Query Example
Click OK in the final profile screen to complete the profile. 30.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any • Actions: Any ZyWALL 1050 User’s Guide...
Page 468: Figure 349 Query Example Search Criteria
Chapter 30 IDP Figure 349 Query Example Search Criteria Figure 350 Query Example Search Results ZyWALL 1050 User’s Guide...
Page 469: Introducing Idp Custom Signatures
When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP. ZyWALL 1050 User’s Guide...
Page 470: Configuring Custom Signatures
If a packet matches a rule for reject-receiver and it also matches a rule for reject- sender, then the ZyWALL will reject-both. Figure 352 Anti-X > IDP > Custom Signatures ZyWALL 1050 User’s Guide...
Page 471: Creating Or Editing A Custom Signature
(including packet contents), then the fewer false positives the signature will trigger. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. ZyWALL 1050 User’s Guide...
Page 472: Figure 353 Anti-X > Idp > Custom Signatures > Add/Edit
Chapter 30 IDP Figure 353 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL 1050 User’s Guide...
Page 473: Table 157 Anti-X > Idp > Custom Signatures > Add/Edit
Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL 1050 User’s Guide...
Page 474 ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL 1050 User’s Guide...
Page 475: Custom Signature Example
As an example, say you want to create a signature for the ‘Microsoft Windows Plug-and-Play Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you will find it uses the NetBIOS service in established TCP connections to a server using port 445. ZyWALL 1050 User’s Guide...
Page 476: Figure 354 Custom Signature Example Pattern 1
Figure 356 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure. If the attack occurs, check the logs for a log of your custom signature. This indicates the signature works correctly. ZyWALL 1050 User’s Guide...
Page 477: Figure 357 Example Custom Signature
Chapter 30 IDP Figure 357 Example Custom Signature ZyWALL 1050 User’s Guide...
Page 478: Applying Custom Signatures
It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit. Figure 359 Custom Signature Log ZyWALL 1050 User’s Guide...
Page 479: Idp Technical Reference
These are some equivalent Snort terms in the ZyWALL. Table 158 ZyWALL - Snort Equivalent Terms ZYWALL TERM SNORT EQUIVALENT TERM Type Of Service Identification ZyWALL 1050 User’s Guide...
Page 480 (Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Not all Snort functionality is supported in the ZyWALL. ZyWALL 1050 User’s Guide...
Page 481: Adp
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL 1050 User’s Guide...
Page 482: Before You Begin
Figure 360 Anti-X > ADP > General The following table describes the screens in this screen. Table 159 Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Select this check box to enable traffic anomaly and protocol anomaly Detection detection. ZyWALL 1050 User’s Guide...
Page 483: Configuring Adp Policies
Click Anti-X > ADP > General and then an Add or Edit icon to display the following screen. Use this screen to apply an ADP profile to a traffic direction. Figure 361 Anti-X > ADP > General > Add ZyWALL 1050 User’s Guide...
Page 484: The Profile Summary Screen
• Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 31.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. Figure 362 Base Profiles ZyWALL 1050 User’s Guide...
Page 485: Configuring The Adp Profile Summary Screen
A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial ADP deployment. ZyWALL 1050 User’s Guide...
Page 486: Traffic Anomaly Profiles
Edit icon or click the Add icon and choose a base profile. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. ZyWALL 1050 User’s Guide...
Page 487: Figure 364 Profiles: Traffic Anomaly
Chapter 31 ADP Figure 364 Profiles: Traffic Anomaly ZyWALL 1050 User’s Guide...
Page 488: Protocol Anomaly Profiles
RFC (Request for Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder, and ICMP Decoder where each category reflects the packet type inspected. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL 1050 User’s Guide...
Page 489: Protocol Anomaly Configuration
Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. Figure 365 Profiles: Protocol Anomaly ZyWALL 1050 User’s Guide...
Page 490: Technical Reference
(Section 31.3.4 on page 486) Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. ZyWALL 1050 User’s Guide...
Page 491 These are some filtered port scan examples. • TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan ZyWALL 1050 User’s Guide...
Page 492: Figure 366 Smurf Attack
Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. ZyWALL 1050 User’s Guide...
Page 493: Figure 367 Tcp Three-Way Handshake
ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down. ZyWALL 1050 User’s Guide...
Page 494: Table 165 Http Inspection And Tcp/Udp/Icmp Decoders
URI. For instance, you may want to know if there are NULL bytes in the request-URI. NON-RFC-HTTP- This is when a newline “\n” character is detected as a delimiter. This DELIMITER ATTACK is non-standard but is accepted by both Apache and IIS web servers. ZyWALL 1050 User’s Guide...
Page 495 20 bytes.This may cause some applications to crash. UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash. ZyWALL 1050 User’s Guide...
Page 496 TRUNCATED-TIMESTAMP- This is when an ICMP packet is sent which has an ICMP datagram HEADER ATTACK length of less than the ICMP Time Stamp header length. This may cause some applications to crash. ZyWALL 1050 User’s Guide...
Page 497: Content Filtering
A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features ZyWALL 1050 User’s Guide...
Page 498: Before You Begin
• You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. • You must subscribe to use the external database content filtering (see the Licensing > Registration screens). ZyWALL 1050 User’s Guide...
Page 499: Content Filter General Screen
User This column displays the individual or group to which this policy applies. any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user. ZyWALL 1050 User’s Guide...
Page 500 None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the ZyWALL and activated the service. Trial displays if you have successfully registered the ZyWALL and activated the trial service subscription. ZyWALL 1050 User’s Guide...
Page 501: Content Filter Policy Add Or Edit Screen
Select Create Object to configure a new user account (see Section 36.2.1 on page for details). Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. ZyWALL 1050 User’s Guide...
Page 502: Content Filter Profile Screen
You must register for external content filtering before you can use it. See Section 8.2 on page 168 for how to register. Chapter 33 on page 519 for how to view content filtering reports. ZyWALL 1050 User’s Guide...
Page 503: Figure 372 Anti-X > Content Filter > Filter Profile > Add
Chapter 32 Content Filtering Figure 372 Anti-X > Content Filter > Filter Profile > Add ZyWALL 1050 User’s Guide...
Page 504: Table 169 Anti-X > Content Filter > Filter Profile > Add
Content Filter General screen along with the category of the blocked web page. Select Log to record attempts to access web pages that match the unsafe categories that you select below. ZyWALL 1050 User’s Guide...
Page 505 These are categories of web pages that are known to pose a threat to users or their computers. Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers). ZyWALL 1050 User’s Guide...
Page 506 It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products. ZyWALL 1050 User’s Guide...
Page 507 Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, incantations, curses and magic powers. This category includes sites which discuss or deal with paranormal or unexplained events. ZyWALL 1050 User’s Guide...
Page 508 Internet and technology-related organizations and companies. Search Engines/Portals This category includes pages that support searching the Internet, indices, and directories. Job Search/Careers This category includes pages that provide assistance in finding employment, and tools for locating prospective employers. ZyWALL 1050 User’s Guide...
Page 509 It does not include pages that can be classified in other categories (such as vehicles or weapons). Auctions This category includes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. ZyWALL 1050 User’s Guide...
Page 510 This does not include advertising servers that serve adult- oriented advertisements. Web Hosting This category includes pages of organizations that provide top-level domain pages, as well as web communities or hosting services. Test Web Site Category ZyWALL 1050 User’s Guide...
Page 511: Content Filter Blocked And Warning Messages
(blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL 1050 User’s Guide...
Page 512: Figure 374 Anti-X > Content Filter > Filter Profile > Customization
ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. ZyWALL 1050 User’s Guide...
Page 513 (such as Bad for example). Blocked URL Keywords This list displays the keywords already added. Click this button when you have finished adding the key words field above. ZyWALL 1050 User’s Guide...
Page 514: Content Filter Cache Screen
You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed. ZyWALL 1050 User’s Guide...
Page 515: Figure 375 Anti-X > Content Filter > Cache
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. This is the index number of a categorized web site address record. ZyWALL 1050 User’s Guide...
Page 516: Content Filter Technical Reference
2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration. ZyWALL 1050 User’s Guide...
Page 517 5 The external content filter server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL 1050 User’s Guide...
Page 518 Chapter 32 Content Filtering ZyWALL 1050 User’s Guide...
Page 519: Content Filter Reports
You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL 1050 User’s Guide...
Page 520: Figure 377 Myzyxel.com: Login
Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 377 myZyXEL.com: Login ZyWALL 1050 User’s Guide...
Page 521: Figure 378 Myzyxel.com: Welcome
Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 379 on page 522). Figure 378 myZyXEL.com: Welcome ZyWALL 1050 User’s Guide...
Page 522: Figure 379 Myzyxel.com: Service Management
4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 379 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 380 Content Filter Reports Main Screen ZyWALL 1050 User’s Guide...
Page 523: Figure 381 Content Filter Reports: Report Home
Chapter 33 Content Filter Reports 6 Select items under Global Reports to view the corresponding reports. Figure 381 Content Filter Reports: Report Home ZyWALL 1050 User’s Guide...
Page 524: Figure 382 Global Report Screen Example
Taken field and click Run Report. The screens vary according to the report type you selected in the Report Home screen. 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 382 Global Report Screen Example ZyWALL 1050 User’s Guide...
Page 525: Figure 383 Requested Urls Example
Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 383 Requested URLs Example ZyWALL 1050 User’s Guide...
Page 526 Chapter 33 Content Filter Reports ZyWALL 1050 User’s Guide...
Page 527: Anti-Spam
IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that ZyWALL 1050 User’s Guide...
Page 528 A DNSBL is also known as a DNS spam blocking list. The ZyWALL can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL. ZyWALL 1050 User’s Guide...
Page 529: Before You Begin
After a positive match is found in a DNSBL, the ZyWALL does not wait for any more DNSBL responses. 34.2 Before You Begin Configure your zones before you configure anti-spam. ZyWALL 1050 User’s Guide...
Page 530: The Anti-Spam General Screen
The anti-spam policy has the ZyWALL scan e-mail traffic that is going to this zone from the From zone. Protocol These are the protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL 1050 User’s Guide...
Page 531: The Anti-Spam Policy Add Or Edit Screen
Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 386 Anti-X > Anti-Spam > General > Add ZyWALL 1050 User’s Guide...
Page 532: Table 173 Anti-X > Anti-Virus > General > Add
Select forward with tag to add a spam tag to an POP3 spam mail’s mail subject and send it on to the destination. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 533: The Anti-Spam Black List Screen
Apply to save and apply the change. Click an entry’s Edit icon to edit the entry. To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. ZyWALL 1050 User’s Guide...
Page 534: The Anti-Spam Black Or White List Add/Edit Screen
This field displays when you select the IP type. Enter the subnet mask here, if applicable. Sender E-Mail This field displays when you select the E-Mail type. Enter a keyword (up to 63 Address ASCII characters). See Section 34.4.2 on page 535 for more details. ZyWALL 1050 User’s Guide...
Page 535: Regular Expressions In Black Or White List Entries
You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL checks the first header with the name you specified in the entry. So if the e- mail has more than one “Received” header, the ZyWALL checks the first one. ZyWALL 1050 User’s Guide...
Page 536: The Anti-Spam White List Screen
Click an entry’s Edit icon to edit the entry. See Section 34.4.1 on page 534 how to add or edit an entry. To delete an entry, click the entry’s Remove icon. The Web Configurator confirms that you want to delete the entry. ZyWALL 1050 User’s Guide...
Page 537: The Dnsbl Screen
Click Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 390 Anti-X > Anti-Spam > DNSBL ZyWALL 1050 User’s Guide...
Page 538: Table 177 Anti-X > Anti-Spam > Dnsbl
ZyWALL forwards if queries to the DNSBL domains time out. This is the entry’s index number in the list. DNSBL Domain This is the name of a domain that maintains DNSBL servers. ZyWALL 1050 User’s Guide...
Page 539: The Dnsbl Add/Edit Screen
Select this check box to have the ZyWALL check the sender and relay IP Domain addresses in e-mails against this DNSBL. DNSBL Domain Enter the domain that is maintaining a DNSBL. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 540: The Anti-Spam Status Screen
This is the average for how long it takes to receive a reply from this DNSBL. Time (sec) No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL 1050 User’s Guide...
Page 541: Device Ha
Device HA Device HA (543)
Page 543: Device Ha
Legacy mode configuration involves a greater degree of complexity. Active-passive mode is recommended for general failover deployments. • The ZyWALLs must all support and be set to use the same device HA mode (either active- passive or legacy). ZyWALL 1050 User’s Guide...
Page 544: Before You Begin
For example, a backup subscribed to IDP/AppPatrol, but not anti- virus, gets IDP/AppPatrol updates from the master, but not anti-virus updates. It is highly recommended to subscribe the master and backup ZyWALLs to the same services. ZyWALL 1050 User’s Guide...
Page 545: Device Ha General
(or in legacy mode with link monitoring enabled), if one of the master ZyWALL’s interfaces loses its connection, the master ZyWALL forces all of its interfaces to the fault state so the backup ZyWALL can take over all of the master ZyWALL’s functions. ZyWALL 1050 User’s Guide...
Page 546: The Active-Passive Mode Screen
35.3 The Active-Passive Mode Screen Virtual Router The master and backup ZyWALL form a single ‘virtual router’. In the following example, master ZyWALL A and backup ZyWALL B form a virtual router. Figure 395 Virtual Router ZyWALL 1050 User’s Guide...
Page 547: Figure 396 Cluster Ids For Multiple Virtual Routers
IP addresses. • Each interface can also have a management IP address. You can connect to this IP address to manage the ZyWALL regardless of whether it is the master or the backup. ZyWALL 1050 User’s Guide...
Page 548: Configuring Active-Passive Mode Device Ha
The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Device HA > Active-Passive Mode. Figure 398 Device HA > Active-Passive Mode ZyWALL 1050 User’s Guide...
Page 549: Table 181 Device Ha > Active-Passive Mode
To activate or deactivate device HA monitoring of an interface, click the interface’s Active icon. Make sure you click Apply to save and apply the change. To edit an interface’s management IP address and subnet mask, click its Edit icon. The Add/Edit screen appears. ZyWALL 1050 User’s Guide...
Page 550 This appears when the ZyWALL is currently configured for legacy mode device HA. Active-Passive Click Apply to save your changes back to the ZyWALL and set it to use active- Mode passive mode device HA. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 551: Configuring An Active-Passive Mode Monitored Interface
While active-passive mode only requires a single cluster ID for the entire virtual router, legacy mode device HA requires you to configure a separate VRRP group and Virtual Router ID (VRID) for each interface in a virtual router. ZyWALL 1050 User’s Guide...
Page 552 Link monitoring has a backup ZyWALL take over all of an unavailable master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. This also means you can only access the original master ZyWALL through its management IP address. ZyWALL 1050 User’s Guide...
Page 553: Configuring The Legacy Mode Screen
VRRP interface link goes down. monitored interface is fault Monitored Interface Summary Name This field displays the name of the VRRP group. Interface This field displays which interface is part of the virtual router. ZyWALL 1050 User’s Guide...
Page 554 Apply This appears when the ZyWALL is currently using legacy mode device HA. Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 555: Figure 401 Device Ha > Legacy Mode > Add
IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface. Subnet Mask Enter the subnet mask of the interface’s management IP address. ZyWALL 1050 User’s Guide...
Page 556 (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Authentication Types on page 259 for more information about authentication methods. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 557: Device Ha Technical Reference
Figure 403 Example: VRRP, Master Becomes Unavailable 192.168.10.112 ZyWALL B is now using the IP address of the default gateway, and it is forwarding packets for the network. The loss of ZyWALL A has no effect on the network. ZyWALL 1050 User’s Guide...
Page 558 • The backup ZyWALL cannot be the master in any active VRRP group. This refers to the actual role at the time of synchronization, not the role setting in the VRRP group. The backup applies the entire configuration if it is different from the backup’s current configuration. ZyWALL 1050 User’s Guide...
Page 559: Objects
VIII Objects User/Group (561) Addresses (575) Services (581) Schedules (587) AAA Server (593) Authentication Method (603) Certificates (607) ISP Accounts (625) SSL Application (629)
Page 561: User/Group
Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console, Dial-in Limited-Admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console, Dial-in Perform basic diagnostics (CLI) Access Users User Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) ZyWALL 1050 User’s Guide...
Page 562 User Groups User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. ZyWALL 1050 User’s Guide...
Page 563 • See Section 5.5.1 on page 119 for related information on these screens. • See Section 36.5 on page 573 for some information on users who use an external authentication server in order to log in. ZyWALL 1050 User’s Guide...
Page 564: User Summary Screen
• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’. • User names have to be different than user group names. ZyWALL 1050 User’s Guide...
Page 565: Figure 405 User/Group > User > Edit
Default descriptions are provided. Authentication If you want to set authentication timeout to a value other than the default settings, Timeout Settings select Use Manual Settings then fill your preferred values in the fields that follow. ZyWALL 1050 User’s Guide...
Page 566: User Group Summary Screen
To delete a user group, click the Remove icon next to the user group. The Web Configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group. ZyWALL 1050 User’s Guide...
Page 567: Group Add/Edit Screen
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 568: Setting Screen
Select the default reauthentication time when you create a new user account. Time You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the reauthentication time for each user account. ZyWALL 1050 User’s Guide...
Page 569 Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Total Policy This is the number of entries configured. Policy per page Select how many entries to display per page in the screen. ZyWALL 1050 User’s Guide...
Page 570 To activate or deactivate a condition, click the Active icon next to the condition. Make sure you click Apply to save and apply the change. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. ZyWALL 1050 User’s Guide...
Page 571: Force User Authentication Policy Add/Edit Screen
Chapter 39 on page 587 for details). Select none if this condition always applies. Select this to save your changes and return to the previous screen. Cancel Select this to return to the previous screen without saving any changes. ZyWALL 1050 User’s Guide...
Page 572: User Aware Login Example
This field displays the amount of lease time that remains, though the user might be before lease able to reset it. timeout Remaining time This field displays the amount of time that remains before the ZyWALL before auth. automatically logs the access user out, regardless of the lease time. timeout ZyWALL 1050 User’s Guide...
Page 573: User /Group Technical Reference
Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 46 on page 681 for more information about shell scripts. ZyWALL 1050 User’s Guide...
Page 574 Chapter 36 User/Group ZyWALL 1050 User’s Guide...
Page 575: Addresses
The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL 1050 User’s Guide...
Page 576: Address Add/Edit Screen
The Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 37.2 on page 575), and click either the Add icon or an Edit icon. Figure 414 Object > Address > Address > Edit ZyWALL 1050 User’s Guide...
Page 577: Address Group Summary Screen
Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 415 Object > Address > Address Group ZyWALL 1050 User’s Guide...
Page 578: Address Group Add/Edit Screen
This field displays the names of the address and address group objects that can be added to the address group. Select address and address group objects that you want to be members of this group and click the right arrow to add them to the member list. ZyWALL 1050 User’s Guide...
Page 579 The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 580 Chapter 37 Addresses ZyWALL 1050 User’s Guide...
Page 581: Services
For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. ZyWALL 1050 User’s Guide...
Page 582: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 417 Object > Service > Service ZyWALL 1050 User’s Guide...
Page 583: The Service Add/Edit Screen
This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If Ending Port you fill in both fields, the service uses the range of ports. ZyWALL 1050 User’s Guide...
Page 584: The Service Group Summary Screen
To edit a service group, click the Edit icon next to the service group. The Service Group Add/Edit screen appears. To delete a service group, click on the Remove icon next to the service group. The Web Configurator confirms that you want to delete the service group. ZyWALL 1050 User’s Guide...
Page 585: The Service Group Add/Edit Screen
The order of members is not important. To remove members, select them and click the left arrow. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 586 Chapter 38 Services ZyWALL 1050 User’s Guide...
Page 587: Schedules
Finding Out More • See Section 5.5 on page 118 for related information on these screens. • See Section 45.3 on page 639 for information about the ZyWALL’s current date and time. ZyWALL 1050 User’s Guide...
Page 588: The Schedule Summary Screen
To edit a schedule, click the Edit icon next to the schedule. The Schedule Add/ Edit screen appears. To delete a schedule, click the Remove icon next to the schedule. The Web Configurator confirms that you want to delete the schedule before doing so. ZyWALL 1050 User’s Guide...
Page 589: The One-Time Schedule Add/Edit Screen
Hour - 0 - 23 Minute - 0 - 59 All of these fields are required. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 590: The Recurring Schedule Add/Edit Screen
Day - disabled Hour - 0 - 23 Minute - 0 - 59 The Hour and Minute fields are both required. To set all day (24 hours), configure the stop hour to 23 and minute to 59. Weekly ZyWALL 1050 User’s Guide...
Page 591 LABEL DESCRIPTION Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 592 Chapter 39 Schedules ZyWALL 1050 User’s Guide...
Page 593: Aaa Server
3 When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. 4 If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL 1050 User’s Guide...
Page 594: Radius Server Overview
597) to configure the Active Directory or LDAP default server settings. • Use the Object > AAA Server > RADIUS screen (Section 40.4 on page 600) to configure the default external RADIUS server to use for user authentication. ZyWALL 1050 User’s Guide...
Page 595: What You Need To Know About Aaa Servers
The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. ZyWALL 1050 User’s Guide...
Page 596: Figure 426 Basic Directory Structure
The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. ZyWALL 1050 User’s Guide...
Page 597: Configuring Active Directory Or Ldap Default Server Settings
Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server. Apply Click Apply to save the changes. Reset Click Reset to start configuring this screen again. ZyWALL 1050 User’s Guide...
Page 598: Active Directory Or Ldap Group Summary Screen
This field displays the index number. Group Name This field displays the descriptive name for identification purposes. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL 1050 User’s Guide...
Page 599: Creating An Active Directory Or Ldap Group
Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down. Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). ZyWALL 1050 User’s Guide...
Page 600: Configuring A Default Radius Server
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. ZyWALL 1050 User’s Guide...
Page 601: Configuring A Group Of Radius Servers
This field displays the index number. Group Name This field displays the descriptive name for identification purposes. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL 1050 User’s Guide...
Page 602: Adding A Radius Server Member
Click Add to add a new RADIUS server. You can add up to four RADIUS member servers. Click Delete to remove a RADIUS server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL 1050 User’s Guide...
Page 603: Authentication Method
1 Access the VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Select Enable Extended Authentication. 3 Select Server Mode and select an authentication method object from the drop-down list box. 4 Click OK to save the settings. ZyWALL 1050 User’s Guide...
Page 604: Viewing Authentication Method Objects
This field displays a descriptive name for identification purposes. Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. ZyWALL 1050 User’s Guide...
Page 605: Creating An Authentication Method Object
You can NOT select two server objects of the same type. 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 435 Object > Auth. Method > Add ZyWALL 1050 User’s Guide...
Page 606: Table 213 Object > Auth. Method > Add
Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL 1050 User’s Guide...
Page 607: Certificates
3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the ZyWALL 1050 User’s Guide...
Page 608 A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. ZyWALL 1050 User’s Guide...
Page 609: Verifying A Certificate
1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 436 Remote Host Certificates ZyWALL 1050 User’s Guide...
Page 610: The My Certificates Screen
42.2 The My Certificates Screen Click Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 438 Object > Certificate > My Certificates ZyWALL 1050 User’s Guide...
Page 611: Table 214 Object > Certificate > My Certificates
You cannot delete certificates that any of the ZyWALL’s features are configured to use. Import Click Import to open a screen where you can save a certificate to the ZyWALL. Refresh Click Refresh to display the current validity status of the certificates. ZyWALL 1050 User’s Guide...
Page 612: The My Certificates Add Screen
You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. ZyWALL 1050 User’s Guide...
Page 613 VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510. ZyWALL 1050 User’s Guide...
Page 614 My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. ZyWALL 1050 User’s Guide...
Page 615: The My Certificates Edit Screen
The ZyWALL does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. ZyWALL 1050 User’s Guide...
Page 616 This field does not display for a certification request. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. ZyWALL 1050 User’s Guide...
Page 617: The My Certificates Import Screen
PKCS#12 format, including the certificate’s public and private keys. The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. ZyWALL 1050 User’s Guide...
Page 618: The Trusted Certificates Screen
The ZyWALL also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates. Figure 442 Object > Certificate > Trusted Certificates ZyWALL 1050 User’s Guide...
Page 619: Table 218 Object > Certificate > Trusted Certificates
Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates. ZyWALL 1050 User’s Guide...
Page 620: The Trusted Certificates Edit Screen
ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 443 Object > Certificate > Trusted Certificates > Edit ZyWALL 1050 User’s Guide...
Page 621: Table 219 Object > Certificate > Trusted Certificates > Edit
This field displays the certificate’s identification number given by the certification authority. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). ZyWALL 1050 User’s Guide...
Page 622 Save. Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the Trusted Certificates screen. ZyWALL 1050 User’s Guide...
Page 623: The Trusted Certificates Import Screen
You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. Click OK to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the previous screen. ZyWALL 1050 User’s Guide...
Page 624: Certificates Technical Reference
ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL 1050 User’s Guide...
Page 625: Isp Accounts
This field displays the profile name of the ISP account. This name is used to identify the ISP account. Protocol This field displays the protocol used by the ISP account. Authentication This field displays the authentication type used by the ISP account. Type ZyWALL 1050 User’s Guide...
Page 626: Isp Account Edit
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. ZyWALL 1050 User’s Guide...
Page 627 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL 1050 User’s Guide...
Page 628 Chapter 43 ISP Accounts ZyWALL 1050 User’s Guide...
Page 629: Ssl Application
Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL 1050 User’s Guide...
Page 630: Example: Specifying A Web Site For Access
4 In the Address field, enter “http://info”. 5 In the Server Type field, select Web Server. 6 Select Web Page Encryption to prevent users from saving the web content. 7 Click Apply to save the settings. ZyWALL 1050 User’s Guide...
Page 631: The Ssl Application Screen
To add an object, click the Add icon at the top of the column. To edit an object, click the Edit icon next to the object. To delete an object, click the Remove icon next to the object. ZyWALL 1050 User’s Guide...
Page 632: Creating/Editing A Web-Based Ssl Application Object
Remote users are restricted to access only files in this directory. For example, if you enter “\remote\” in this field, emote users can only access files in the “remote” directory. If a link contains a file that is not within this domain, then remote users cannot access ZyWALL 1050 User’s Guide...
Page 633: Creating/Editing A File Sharing Ssl Application Object
The following table describes the labels in this screen. Table 225 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Object Type Select File Sharing to create a file share application for VPN SSL. File Sharing ZyWALL 1050 User’s Guide...
Page 634 Click Cancel to discard the changes and return to the main SSL Application Configuration screen. You must then configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. ZyWALL 1050 User’s Guide...
Page 635: System
System System (637)
Page 637: System
• Connect an external serial modem to the AUX port to provide a management connection in case the ZyWALL’s other WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 45.11 on page 675) to configure the external serial modem. ZyWALL 1050 User’s Guide...
Page 638: Host Name
DHCP server enabled. This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 639: Date And Time
This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. ZyWALL 1050 User’s Guide...
Page 640 Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M. ZyWALL 1050 User’s Guide...
Page 641: Pre-Defined Ntp Time Servers List
2 Select Manual under Time and Date Setup. 3 Enter the ZyWALL’s time in the New Time field. 4 Enter the ZyWALL’s date in the New Date field. 5 Under Time Zone Setup, select your Time Zone from the list. ZyWALL 1050 User’s Guide...
Page 642: Console Port Speed
The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the ZyWALL Web Configurator Status screen. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 643: Dns Overview
VPN, DDNS and the time server. You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 456 System > DNS ZyWALL 1050 User’s Guide...
Page 644: Table 230 System > Dns
A MX (Mail eXchange) record identifies a mail server that handles the mail for a My FQDN) particular domain. This is the index number of the MX record. Domain Name This is the domain name where the mail is destined for. ZyWALL 1050 User’s Guide...
Page 645: Address Record
If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server. ZyWALL 1050 User’s Guide...
Page 646: Ptr Record
DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. ZyWALL 1050 User’s Guide...
Page 647: Adding A Domain Zone Forwarder
Each host or domain can have only one MX record, that is, one domain is mapping to one host. ZyWALL 1050 User’s Guide...
Page 648: Adding A Mx Record
Select Accept to have the ZyWALL allow the DNS queries from the specified computer. Select Deny to have the ZyWALL reject the DNS queries from the specified computer. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving ZyWALL 1050 User’s Guide...
Page 649: Www Overview
IP address (the ZyWALL disallows the session). 3 The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4 There is a firewall rule that blocks it. ZyWALL 1050 User’s Guide...
Page 650: System Timeout
1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s web server. 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server. ZyWALL 1050 User’s Guide...
Page 651: Configuring Www Service Control
ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). ZyWALL 1050 User’s Guide...
Page 652: Figure 463 System > Www > Service Control
HTTPS client. You must have certificates already configured in the My Certificates screen. Redirect HTTP To allow only secure Web Configurator access, select this to redirect all HTTP to HTTPS connection requests to the HTTPS server. ZyWALL 1050 User’s Guide...
Page 653 This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL 1050 User’s Guide...
Page 654: Service Control Rules
Select Accept to allow the user to access the ZyWALL from the specified computers. Select Deny to block the user’s access to the ZyWALL from the specified computers. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving ZyWALL 1050 User’s Guide...
Page 655: Customizing The Www Login Page
Internet. See Chapter 36 on page 561 for more on access user accounts. Figure 465 System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL 1050 User’s Guide...
Page 656: Figure 466 Login Page Customization
• Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. ZyWALL 1050 User’s Guide...
Page 657: Table 237 System > Www > Login Page
Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL 1050 User’s Guide...
Page 658: Https Example
Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. ZyWALL 1050 User’s Guide...
Page 659: Figure 469 Security Certificate 1 (Netscape)
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix D on page 799 for details. ZyWALL 1050 User’s Guide...
Page 660: Figure 471 Login Screen (Internet Explorer)
The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 45.6.7.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL 1050 User’s Guide...
Page 661: Figure 473 Ca Certificate Example
Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 474 Personal Certificate Import Wizard 1 ZyWALL 1050 User’s Guide...
Page 662: Figure 475 Personal Certificate Import Wizard 2
File name text box. Click Browse if you wish to import a different certificate. Figure 475 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. Figure 476 Personal Certificate Import Wizard 3 ZyWALL 1050 User’s Guide...
Page 663: Figure 477 Personal Certificate Import Wizard 4
Place all certificates in the following store and choose a different location. Figure 477 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 478 Personal Certificate Import Wizard 5 ZyWALL 1050 User’s Guide...
Page 664: Figure 479 Personal Certificate Import Wizard 6
2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 481 SSL Client Authentication ZyWALL 1050 User’s Guide...
Page 665: Ssh
ZyWALL for a management session. Figure 483 SSH Communication Over the WAN Example 45.7.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. ZyWALL 1050 User’s Guide...
Page 666: Ssh Implementation On The Zywall
ZyWALL for management using port 22 (by default). 45.7.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. ZyWALL 1050 User’s Guide...
Page 667: Configuring Ssh
This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL 1050 User’s Guide...
Page 668: Secure Telnet Using Ssh Examples
Enter the password to log in to the ZyWALL. The CLI screen displays next. 45.7.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. ZyWALL 1050 User’s Guide...
Page 669: Figure 487 Ssh Example 2: Test
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The CLI screen displays next. ZyWALL 1050 User’s Guide...
Page 670: Telnet
Click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. ZyWALL 1050 User’s Guide...
Page 671: Ftp
ZyWALL for FTP connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 42 on page 607 details). Service Control This specifies from which computers you can access which ZyWALL zones. ZyWALL 1050 User’s Guide...
Page 672: Snmp
ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 491 SNMP Management Model ZyWALL 1050 User’s Guide...
Page 673: Supported Mibs
This trap is sent when the Ethernet link is down. linkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. authenticationFailure 1.3.6.1.6.3.1.1.5.5 This trap is sent when an SNMP request comes from non-authenticated hosts. ZyWALL 1050 User’s Guide...
Page 674: Configuring Snmp
This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL 1050 User’s Guide...
Page 675: Dial-In Management
The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags. ZyWALL 1050 User’s Guide...
Page 676: Configuring Dial-In Mgmt
If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator. ZyWALL 1050 User’s Guide...
Page 677: Configuring Vantage Cnm
Interval there is no other traffic. The keep alive packets maintain the Vantage CNM server’s control session. Periodic Inform Select this option to have the ZyWALL periodically send “Inform” messages to the Interval Vantage CNM server. ZyWALL 1050 User’s Guide...
Page 678: Language Screen
Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 679: Maintenance, Troubleshooting, & Specifications
Maintenance, Troubleshooting, & Specifications File Manager (681) Logs (691) Reports (701) Diagnostics (717) Reboot (719) Troubleshooting (721) Product Specifications (725)
Page 681: File Manager
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL 1050 User’s Guide...
Page 682: Figure 496 Configuration File / Shell Script: Example
In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. ZyWALL 1050 User’s Guide...
Page 683 The ZyWALL ignores any errors in on-error off the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL 1050 User’s Guide...
Page 684: The Configuration File Screen
The ZyWALL ignores any errors in the startup stop-on-error off startup-config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors. Figure 497 Maintenance > File Manager > Configuration File ZyWALL 1050 User’s Guide...
Page 685: Figure 498 Maintenance > File Manager > Configuration File > Copy
A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. ZyWALL 1050 User’s Guide...
Page 686 “.conf” filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. ZyWALL 1050 User’s Guide...
Page 687: The Firmware Package Screen
Destroy compressed files that could not be decompressed option. The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! Figure 500 Maintenance > File Manager > Firmware Package ZyWALL 1050 User’s Guide...
Page 688: Figure 501 Firmware Upload In Process
After five minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. Figure 503 Firmware Upload Error ZyWALL 1050 User’s Guide...
Page 689: The Shell Script Screen
Specify a name for the duplicate file. Use up to 25 characters (including a-zA-Z0- 9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL 1050 User’s Guide...
Page 690: Figure 506 Maintenance > File Manager > Shell Script > Rename
Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL 1050 User’s Guide...
Page 691: Logs
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL 1050 User’s Guide...
Page 692: Figure 507 Maintenance > Log > View Log
()’ ,:;?! +-*/= #$% @ ; the period, double quotes, and brackets are not allowed. Search Click this button to update the log using the current filter settings. ZyWALL 1050 User’s Guide...
Page 693: Figure 508 Maintenance > Log > View Log > Column Setting
This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL 1050 User’s Guide...
Page 694: Log Setting Screens
Active Log Summary screen to edit this information for all logs at the same time. 47.4.1 Log Setting Summary To access this screen, click Maintenance > Log > Log Setting. Figure 509 Maintenance > Log > Log Setting ZyWALL 1050 User’s Guide...
Page 695: Table 251 Maintenance > Log > Log Setting
To edit the settings, click the Edit icon next to the associated log. The Log Settings Edit screen appears. Active Log Click this button to open the Active Log Summary Edit screen. Summary Apply Click this button to save your changes (activate and deactivate logs) and make them take effect. ZyWALL 1050 User’s Guide...
Page 696: Edit System Log Settings
Active Log and Alert section. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail. ZyWALL 1050 User’s Guide...
Page 697 Type how often, in seconds, to consolidate log information. If the same log Consolidation message appears multiple times, it is aggregated into one log message with the Interval text “[count=x]”, where x is the number of original log messages, appended at the end of the Message field. ZyWALL 1050 User’s Guide...
Page 698: Edit Remote Server Log Settings
This field displays the format of the log information. It is read-only. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to send log Address information. ZyWALL 1050 User’s Guide...
Page 699: Active Log Summary Screen
(for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 47.4.1 on page 694), and click the Active Log Summary button. Figure 512 Active Log Summary ZyWALL 1050 User’s Guide...
Page 700: Table 254 Maintenance > Log > Log Setting > Active Log Summary
If you check one of the check boxes for All Logs, it affects the settings for every category. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL 1050 User’s Guide...
Page 701: Reports
Table 255 on page 702 for more information. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL 1050 User’s Guide...
Page 702: Figure 513 Maintenance > Report > Traffic Statistics
Egress - traffic is going from the ZyWALL to the IP address or user. IP Address/User This field displays the IP address or user in this record. The maximum number of IP addresses or users in this report is indicated in Table 256 on page 703. ZyWALL 1050 User’s Guide...
Page 703: Table 256 Maximum Values For Reports
Table 256 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records Byte Count Limit bytes; this is just less than 17 million terabytes. Hit Count Limit hits; this is over 1.8 x 10 hits. ZyWALL 1050 User’s Guide...
Page 704: The Session Monitor Screen
- filter the active sessions by the User, Service, Source Address, and Destination Address, and display each session individually (sorted by user). Refresh Click this button to update the information on the screen. The screen also refreshes automatically when you open and close the screen. ZyWALL 1050 User’s Guide...
Page 705 This field displays the length of the active session in seconds. Count This field displays the number of active sessions for each user, service, or IP address. This field does not display when you are viewing all sessions (since each session is displayed individually). ZyWALL 1050 User’s Guide...
Page 706: The Anti-Virus Report Screen
ZyWALL has detected. This field displays the entry’s rank in the list of the top entries. Virus name This column displays when you display the entries by Virus Name. This displays the name of a detected virus. ZyWALL 1050 User’s Guide...
Page 707: The Idp Report Screen
Figure 517 Maintenance > Report > Anti-Virus: Destination 48.5 The IDP Report Screen Click Maintenance > Report > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 518 Maintenance > Report > IDP: Signature Name ZyWALL 1050 User’s Guide...
Page 708: Table 259 Maintenance > Report > Idp
IP address at which intrusion attempts were targeted. Occurrences This field displays how many times the ZyWALL has detected the event described in the entry. Total This field displays the sum of the occurrences of the events in the entries. ZyWALL 1050 User’s Guide...
Page 709: Figure 519 Maintenance > Report > Idp: Source
The statistics display as follows when you display the top entries by source. Figure 519 Maintenance > Report > IDP: Source The statistics display as follows when you display the top entries by destination. Figure 520 Maintenance > Report > IDP: Destination ZyWALL 1050 User’s Guide...
Page 710: The Content Filter Report Screen
Web Pages This is the number of web pages that matched an external database content filtering Warned by category selected in the ZyWALL and for which the ZyWALL displayed a warning Category before allowing users access. Service ZyWALL 1050 User’s Guide...
Page 711 Report Server Click this link to go to http://www.myZyXEL.com where you can view content filtering reports after you have activated the category-based content filtering subscription service. ZyWALL 1050 User’s Guide...
Page 712: The Anti-Spam Report Screen
This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails This is the number of e-mails that matched an entry in the ZyWALL’s anti-spam Detected by black list. Black List ZyWALL 1050 User’s Guide...
Page 713 ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. Total This field displays the sum of the occurrences of the events in the entries. ZyWALL 1050 User’s Guide...
Page 714: The Email Daily Report Screen
Table 262 Maintenance > Report > Email Daily Report LABEL DESCRIPTION General Settings Enable Email Select this to send reports by e-mail every day. Daily Report Email Settings Mail Server Type the name or IP address of the outgoing SMTP server. ZyWALL 1050 User’s Guide...
Page 715 Click this to discard all report data and start all of the counters over at zero. Counters Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 1050 User’s Guide...
Page 716 Chapter 48 Reports ZyWALL 1050 User’s Guide...
Page 717: Diagnostics
This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. ZyWALL 1050 User’s Guide...
Page 718 Chapter 49 Diagnostics ZyWALL 1050 User’s Guide...
Page 719: Reboot
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command to restart the ZyWALL. reboot ZyWALL 1050 User’s Guide...
Page 720 Chapter 50 Reboot ZyWALL 1050 User’s Guide...
Page 721: Troubleshooting
UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. ZyWALL 1050 User’s Guide...
Page 722 The VPN wizard automatically creates a corresponding policy route. If you use the VPN > IPSec VPN or VPN > L2TP VPN screens to set up a VPN tunnel, you need to manually configure a policy route for the VPN tunnel. ZyWALL 1050 User’s Guide...
Page 723: Resetting The Zywall
2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. ZyWALL 1050 User’s Guide...
Page 724: Getting More Troubleshooting Help
Chapter 51 Troubleshooting 51.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL 1050 User’s Guide...
Page 725: Product Specifications
Temperature: -30 C to 60 C Humidity: 5% to 90% (non-condensing ) MTBF Mean Time Between Failures: 51,611 hours Dimensions 430.7 (W) x 292.0 (D) x 43.5 (H) mm Weight 4.7 kg Rack-mounting Rack-mountable (rack-mount kit included) ZyWALL 1050 User’s Guide...
Page 726: Table 266 Feature Specifications
Maximum Admin Users Maximum User Groups Maximum Users in One User Group 1024 1024 1024 OBJECTS Address Objects 5000 5000 5000 Address Groups 1000 1000 1000 Maximum Address Objects in One Group Service Objects 5000 5000 5000 ZyWALL 1050 User’s Guide...
Page 727 Maximum Number of DDNS Profiles DHCP Relay 2 per interface 2 per interface 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries 1024 1024 1024 Admin E-mail Addresses Syslog Servers Maximum Number of IDP Profiles Custom Signatures CONTENT FILTER ZyWALL 1050 User’s Guide...
Page 728: Table 267 Standards Referenced By Features
Built-in service, HTTP server RFCs 1945, 2616, 2965, 2732, 2295 Built-in service, SNMP agent RFCs 1067, 1213, 2576, 2578, 2579, 2580, 2741, 2667, 2981, 3371 Login, LDAP support. RFCs 2251, 2252, 2253, 2254, 2255, 2256, 2589, 2829, 2830 ZyWALL 1050 User’s Guide...
Page 729 Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard RFC 826 IP/IPv4 RFC 791 RFC 793 ZyWALL 1050 User’s Guide...
Page 730 Chapter 52 Product Specifications ZyWALL 1050 User’s Guide...
Page 731: Appendices And Index
Appendices and Index Common Services (789) Displaying Anti-Virus Alert Messages in Windows (793) Importing Certificates (799) Open Software Announcements (823) Wireless LANs (847) Legal Information (861) Customer Support (865) Index (871)
Page 733: Appendix A Log Descriptions
%s: website host The device allowed access to a web site. The content filtering service %s: Service is not is unregistered and the default policy is not set to block. registered %s: website host ZyWALL 1050 User’s Guide...
Page 734: Table 270 Blocked Web Site Logs
The web content matched a user defined keyword. %s: Keyword blocking %s: website host No content filter policy is applied and access was blocked since the %s: Blocking by default action is block. default policy %s: website host ZyWALL 1050 User’s Guide...
Page 735: Table 271 Anti-Spam Logs
The anti-spam black list rule with the specified index number (%d) Black List rule %d has has been turned off. been deactivated. anti-spam DNSBL (DNS Black List) server checking has been turned DNSBL checking has been activated. ZyWALL 1050 User’s Guide...
Page 736: Table 272 Ssl Vpn Logs
IP address given to the SSL user. established An SSL tunnel has been disconnected. The source is the login IP SSL tunnel is address. The destination is the IP address given to the SSL user. disconnected ZyWALL 1050 User’s Guide...
Page 737 %s) in the listed SSL VPN policy (second %s), so the listed address subnet with %s in SSL (third %s) will not be given to an SSL VPN client. VPN policy %s. So %s will not be injected to client side. ZyWALL 1050 User’s Guide...
Page 738 (login on a lockout address) The listed user (%s) failed to log into SSL VPN because the maximum Failed login attempt number of users were already logged in. to SSLVPN from %s (reach the max. number of user) ZyWALL 1050 User’s Guide...
Page 739: Table 273 L2Tp Over Ipsec Logs
An attempted login to the L2TP over IPSec service failed because the User has been denied L2TP over IPSec IP address pool does not have any more IP from L2TP service. addresses to give out. (address pool exhausted) ZyWALL 1050 User’s Guide...
Page 740: Table 274 Zysh Logs
1st:zysh entry name can't alloc entry: %s! 1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! 1st:zysh entry name can't print entry: %s! 1st:zysh list name %s: cannot retrieve entries from list! ZyWALL 1050 User’s Guide...
Page 741 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL 1050 User’s Guide...
Page 742: Table 275 Adp Logs
The ZyWALL failed to initialize the anti-virus signatures due to an Initializing Anti-Virus internal error. signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an Reloading Anti-Virus internal error. signature database has failed. ZyWALL 1050 User’s Guide...
Page 743 AV signature update has have enough system resources free to finish the signature update. failed. (Memory not enough) An anti-virus signatures update failed because the anti-virus AV signature size is signature file was too large. over system limitation ZyWALL 1050 User’s Guide...
Page 744 2nd %s: The white list or black list. An anti-virus file pattern white list or black list was turned on or off. %s has been %s 1st %s: The white list or black list. 2nd %s: Activated/deactivated. ZyWALL 1050 User’s Guide...
Page 745: Table 277 User Logs
The ZyWALL blocked a login because the maximum login capacity Failed login attempt to for the particular service has already been reached. ZyWALL from %s (reach %s: service name the max. number of user) ZyWALL 1050 User’s Guide...
Page 746: Table 278 Myzyxel.com Logs
%s:Trial service activation has %s: service name succeeded. The device received an incomplete response from the myZyXEL.com Trial service server and it caused a parsing error for the device. activation has failed. Because of lack must fields. ZyWALL 1050 User’s Guide...
Page 747 The device failed to change the type of anti-virus engine. %s is the Change Anti-Virus server response error message. engine has failed:%s. The device successfully changed the type of anti-virus engine. Change Anti-Virus engine has succeeded. ZyWALL 1050 User’s Guide...
Page 748 The device started an IDP signature update. Starting signature update. The device successfully downloaded an IDP signature file. IDP signature download has succeeded. The device successfully downloaded and applied an IDP signature file. IDP signature update has succeeded. ZyWALL 1050 User’s Guide...
Page 749 Do expiration daily- check has succeeded. Before the device sends an expiration day check packet, it needs to Expiration daily- check whether or not it will trigger a PPP connection. check will trigger PPP interface. Do self- check. ZyWALL 1050 User’s Guide...
Page 750 The wrong format for HTTP header. After the device sent packets to a server, the device did not receive Timeout for get server any response from the server. The root cause may be a network delay response. issue. ZyWALL 1050 User’s Guide...
Page 751: Table 279 Idp Logs
IDP service trial cannot update the IDP signatures. license is not registered. Update signature failed. An attempt to add a custom IDP signature failed. The error sid and Custom signature add message are displayed. error: sid <sid>, <error_message>. ZyWALL 1050 User’s Guide...
Page 752 IDP device HA synchronized file failed. failed. Can not update synchronized file. An IDP signature update succeeded. The previous and updated IDP IDP signature update signature versions are listed. from version <version> to version <version> has succeeded. ZyWALL 1050 User’s Guide...
Page 753 The device could not get the signature version from the new Can not get signature signature package it downloaded from the update server. version. An IDP system-protect signature update failed. IDP system-protect signature update failed. Invalid IDP config file. ZyWALL 1050 User’s Guide...
Page 754 See the CLI reference guide for how to restore the default system please refer to your database. user documentation to recover the default database file The IDP signature set is too large (exceeds the ZyWALL’s system IDP signature size is limitation). over system limitation. ZyWALL 1050 User’s Guide...
Page 755: Table 280 Application Patrol
An application patrol rule has been deleted. Rule %s:%s has been removed. 1st %s: Protocol name 2nd %s: From rule index number 3rd %s: To rule index number The device failed to initiate the application patrol daemon. System fatal error: 60011001. ZyWALL 1050 User’s Guide...
Page 756: Table 281 Ike Logs
When selecting a matched proposal in phase-1 or phase-2, so [SA] : No proposal proposal was selected. chosen %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] algorithm did not match. Phase 1 authentication algorithm mismatch ZyWALL 1050 User’s Guide...
Page 757 INFO 1st %s is my ip address. 2nd %s is the tunnel name. When selecting a Cannot resolve My IP matched proposal in phase-1, the engine could not get My-IP address. Addr %s for Tunnel [%s] ZyWALL 1050 User’s Guide...
Page 758 %s is the tunnel name. When negotiating phase-1, the pre-shared key Tunnel [%s] Phase 1 did not match. pre-shared key mismatch %s is the tunnel name. The device received an IKE request. Tunnel [%s] Recving IKE request ZyWALL 1050 User’s Guide...
Page 759 Sending IKE request The variables represent the tunnel name and the SPI of a tunnel that Tunnel [%s:0x%x] is was disconnected. disconnected %s is the tunnel name. The tunnel was rekeyed successfully. Tunnel [%s] rekeyed successfully ZyWALL 1050 User’s Guide...
Page 760: Table 282 Ipsec Logs
3rd is the to zone, 4th is the service name, 5th is ACCEPT/DROP/ REJECT. Firewall is dead, trace to %s is which file, %d is which line, %s is which %s:%d: in %s(): function %s is enabled/disabled Firewall has been %s. ZyWALL 1050 User’s Guide...
Page 761: Table 284 Sessions Limit Logs
User-aware policy routing is disabled due to some reason. Cannot get handle from UAM, user-aware PR is disabled Allocating policy routing rule fails: insufficient memory. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory. pt: allocate memory failed! ZyWALL 1050 User’s Guide...
Page 762: Table 286 Built-In Services Logs
HTTPS certificate:%s does not exist. HTTPS %s is certificate name assigned by user service will not work. An administrator changed the port number for HTTPS. HTTPS port has been changed to port %s. %s is port number ZyWALL 1050 User’s Guide...
Page 763 If interface is stand-by mode for device HA, DHCP server can't be run. DHCP Server on Otherwise it has conflict with the interface in master mode. Interface %s will not %s is interface name work due to Device HA status is Stand-By ZyWALL 1050 User’s Guide...
Page 764 Zone Forwarder have reached the maximum number of 128 DNS servers. Ping check ok, add DNS servers in bind. Interface %s ping check is successful. %s is interface name Zone Forwarder adds DNS servers in records. ZyWALL 1050 User’s Guide...
Page 765: Table 287 System Logs
SNMP trap can not be sent successfully Table 287 System Logs LOG MESSAGE DESCRIPTION When LINK is up, %d is the port number. Port %d is up!! When LINK is down, %d is the port number. Port %d is down!! ZyWALL 1050 User’s Guide...
Page 766 IP address. arp response packets for the requested IP address The ARP cache was cleared successfully. Clear arp cache successfully. A client MAC address is not an Ethernet address. Client MAC address is not an Ethernet address ZyWALL 1050 User’s Guide...
Page 767 FQDN of the profile. has failed because the FQDN %s was blocked for abuse. Try to update profile, but failed, because of authentication fail, %s is Update the profile %s the profile name. has failed because of authentication fail. ZyWALL 1050 User’s Guide...
Page 768 The profile is paused by device-HA, because the VRRP status of that The profile %s has iface is standby, %s is the profile name. been paused because the VRRP status of WAN interface was standby. ZyWALL 1050 User’s Guide...
Page 769 Rename DDNS profile, 1st %s is the original profile name, 2nd %s is DDNS profile %s has the new profile name. been renamed as %s. Delete DDNS profile, %s is the profile name, DDNS profile %s has been deleted. ZyWALL 1050 User’s Guide...
Page 770: Table 288 Connectivity Check Logs
The connectivity check process can't get interface configuration. Can't get flags of %s interface %s: interface name The connectivity check process can't get remote address of PPP Can't get remote interface address of %s %s: interface name interface ZyWALL 1050 User’s Guide...
Page 771: Table 289 Device Ha Logs
The System Startup configuration file synchronized from the Master is Master configuration the same with the one in the Backup, so the configuration does not is the same with have to be updated. Backup. Skip updating ZyWALL 1050 User’s Guide...
Page 772 A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration Device HA may not match between the Backup and the Master. %s: The name of authentication type the VRRP group. for VRRP group %s maybe wrong. ZyWALL 1050 User’s Guide...
Page 773 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. ZyWALL 1050 User’s Guide...
Page 774: Table 290 Routing Protocol Logs
RIP direction on Name interface %s has been changed to BiDir. RIP text or md5 authentication has been disabled. RIP authentication has benn disabled. RIP text authentication key has been deleted. RIP text authentication key has been deleted. ZyWALL 1050 User’s Guide...
Page 775 %s: Virtual-Link ID link %d md5 authentication of area Virtual-link %s text authentication has been set without setting text Invalid OSPF virtual- authentication key first. %s: Virtual-Link ID link %s text authentication of area ZyWALL 1050 User’s Guide...
Page 776: Table 291 Nat Logs
Signal port of SIP ALG has been modified. SIP ALG apply additional signal port failed. Register SIP ALG extra port=%d failed. %d: Port number SIP ALG apply signal port failed. Register SIP ALG signal port=%d failed. %d: Port number ZyWALL 1050 User’s Guide...
Page 777: Table 292 Pki Logs
The device was unable to use SCEP to enroll a certificate. 1st %s is a SCEP enrollment "%s" request name, 2nd %s is the CA name, 3rd %s is the URL failed, CA "%s", URL "%s" ZyWALL 1050 User’s Guide...
Page 778 Export X509 is the certificate request name. certificate "%s" from "My Certificate" successfully The device exported a x509 format certificate from Trusted Export X509 Certificates. %s is the certificate request name. certificate "%s" from "Trusted Certificate" successfully ZyWALL 1050 User’s Guide...
Page 779 CRL was not added to the cache. CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout. Database method failed. ZyWALL 1050 User’s Guide...
Page 780: Table 293 Interface Logs
An administrator added a new interface. %s: interface name. Interface %s has been added. An administrator enabled an interface. %s: interface name. Interface %s is enabled. An administrator disabled an interface. %s: interface name. Interface %s is disabled. ZyWALL 1050 User’s Guide...
Page 781 CHAP server does not support CHAP). CHAP: interface name. authentication failed. A PPP or AUX interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL 1050 User’s Guide...
Page 782 You entered an incorrect PUK code so you were not able to unlock the "Incorrect PUK code of SIM card for the cellular device associated with the listed cellular interface cellular%d. interface (%d). Please check the PUK code setting. ZyWALL 1050 User’s Guide...
Page 783 %s, but current inserted device is %s. The cellular device (identified by its manufacturer and model) has been "Cellular device [%s inserted in or connected to the specified slot. %s] has been inserted into %s. ZyWALL 1050 User’s Guide...
Page 784: Table 294 Wlan Logs
A wireless client with the specified MAC address (second %s) failed to Station association connect to the specified WLAN interface (first %s) because the WLAN has failed. Maximum interface already has its maximum number of wireless clients. associations have reached the maximum number. Interface: %s, MAC: %s. ZyWALL 1050 User’s Guide...
Page 785: Table 295 Account Logs
DHCP client and has more than one member in its group. In this case client. the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface name. Port Grouping %s has been changed. ZyWALL 1050 User’s Guide...
Page 786: Table 297 Force Authentication Logs
DHCP clients, so there is no IP address to give to the listed DHCP client. DHCP server offered %s to The DHCP server feature gave the listed IP address to the computer %s(%s) with the listed hostname and MAC address. ZyWALL 1050 User’s Guide...
Page 787: Table 300 E-Mail Daily Report Logs
Table 301 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP address and %02X:%02X:%02X:%02X:% MAC address are also shown. 02X:%02X ZyWALL 1050 User’s Guide...
Page 788 The interface the packet came in through, the sender’s IP %s#%u.%u.%u.%u#%02X:% address and MAC address, are also shown along with the binding type 02X:%02X:%02X:%02X:%02 (“s” for static or “d” for dynamic). ZyWALL 1050 User’s Guide...
Page 789: Appendix B Common Services
IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL 1050 User’s Guide...
Page 790 This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. RTELNET Remote Telnet. ZyWALL 1050 User’s Guide...
Page 791 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL 1050 User’s Guide...
Page 792 Appendix B Common Services ZyWALL 1050 User’s Guide...
Page 793: Appendix C Displaying Anti-Virus Alert Messages In Windows
Windows XP 1 Click Start > Control Panel > Administrative Tools > Services. Figure 526 Windows XP: Opening the Services Window 2 Select the Messenger service and click Start. ZyWALL 1050 User’s Guide...
Page 794: Figure 527 Windows Xp: Starting The Messenger Service
3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 528 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service. ZyWALL 1050 User’s Guide...
Page 795: Figure 529 Windows 2000: Starting The Messenger Service
98 SE (steps are similar for Windows Me). 1 Right-click on the program task bar and click Properties. Figure 531 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... ZyWALL 1050 User’s Guide...
Page 796: Figure 532 Windows 98 Se: Task Bar Properties
3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 533 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. ZyWALL 1050 User’s Guide...
Page 797: Figure 534 Windows 98 Se: Startup: Create Shortcut
6 Specify a name for the shortcut or accept the default and click Finish. Figure 535 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. ZyWALL 1050 User’s Guide...
Page 798: Figure 536 Windows 98 Se: Startup: Shortcut
Appendix C Displaying Anti-Virus Alert Messages in Windows Figure 536 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 530 on page 795). ZyWALL 1050 User’s Guide...
Page 799: Appendix D Importing Certificates
In this appendix, you can import a public key certificate for: • Internet Explorer on page 800 • Firefox on page 808 • Opera on page 813 • Konqueror on page 819 ZyWALL 1050 User’s Guide...
Page 800: Figure 537 Internet Explorer 7: Certification Error
Figure 537 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 538 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates. Figure 539 Internet Explorer 7: Certificate Error ZyWALL 1050 User’s Guide...
Page 801: Figure 540 Internet Explorer 7: Certificate
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 540 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next. Figure 541 Internet Explorer 7: Certificate Import Wizard ZyWALL 1050 User’s Guide...
Page 802: Figure 542 Internet Explorer 7: Certificate Import Wizard
Figure 543 Internet Explorer 7: Certificate Import Wizard 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 544 Internet Explorer 7: Select Certificate Store ZyWALL 1050 User’s Guide...
Page 803: Figure 545 Internet Explorer 7: Certificate Import Wizard
9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 545 Internet Explorer 7: Certificate Import Wizard 10 If you are presented with another Security Warning, click Yes. Figure 546 Internet Explorer 7: Security Warning ZyWALL 1050 User’s Guide...
Page 804: Figure 547 Internet Explorer 7: Certificate Import Wizard
12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 548 Internet Explorer 7: Website Identification ZyWALL 1050 User’s Guide...
Page 805: Figure 549 Internet Explorer 7: Public Key Certificate File
2 In the security warning dialog box, click Open. Figure 550 Internet Explorer 7: Open File - Security Warning 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 800 complete the installation process. ZyWALL 1050 User’s Guide...
Page 806: Figure 551 Internet Explorer 7: Tools Menu
This section shows you how to remove a public key certificate in Internet Explorer 7. 1 Open Internet Explorer and click Tools > Internet Options. Figure 551 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates. Figure 552 Internet Explorer 7: Internet Options ZyWALL 1050 User’s Guide...
Page 807: Figure 553 Internet Explorer 7: Certificates
5 In the Root Certificate Store dialog box, click Yes. Figure 555 Internet Explorer 7: Root Certificate Store 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL 1050 User’s Guide...
Page 808: Figure 556 Firefox 2: Website Certified By An Unknown Authority
3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. Figure 557 Firefox 2: Page Info ZyWALL 1050 User’s Guide...
Page 809: Figure 558 Firefox 2: Tools Menu
1 Open Firefox and click Tools > Options. Figure 558 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 559 Firefox 2: Options ZyWALL 1050 User’s Guide...
Page 810: Figure 560 Firefox 2: Certificate Manager
Figure 561 Firefox 2: Select File 5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL 1050 User’s Guide...
Page 811: Figure 562 Firefox 2: Tools Menu
This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 562 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 563 Firefox 2: Options ZyWALL 1050 User’s Guide...
Page 812: Figure 564 Firefox 2: Certificate Manager
4 In the Delete Web Site Certificates dialog box, click OK. Figure 565 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. ZyWALL 1050 User’s Guide...
Page 813: Figure 566 Opera 9: Certificate Signer Not Found
Figure 566 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 567 Opera 9: Security information ZyWALL 1050 User’s Guide...
Page 814: Figure 568 Opera 9: Tools Menu
1 Open Opera and click Tools > Preferences. Figure 568 Opera 9: Tools Menu 2 In Preferences, click Advanced > Security > Manage certificates. Figure 569 Opera 9: Preferences ZyWALL 1050 User’s Guide...
Page 815: Figure 570 Opera 9: Certificate Manager
3 In the Certificates Manager, click Authorities > Import. Figure 570 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 571 Opera 9: Import certificate ZyWALL 1050 User’s Guide...
Page 816: Figure 572 Opera 9: Install Authority Certificate
Figure 573 Opera 9: Install authority certificate 7 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. ZyWALL 1050 User’s Guide...
Page 817: Figure 574 Opera 9: Tools Menu
This section shows you how to remove a public key certificate in Opera 9. 1 Open Opera and click Tools > Preferences. Figure 574 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates. Figure 575 Opera 9: Preferences ZyWALL 1050 User’s Guide...
Page 818: Figure 576 Opera 9: Certificate Manager
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button. ZyWALL 1050 User’s Guide...
Page 819: Figure 577 Konqueror 3.5: Server Authentication
3 Click Forever when prompted to accept the certificate. Figure 578 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 579 Konqueror 3.5: KDE SSL Information ZyWALL 1050 User’s Guide...
Page 820: Figure 580 Konqueror 3.5: Public Key Certificate File
The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 582 Konqueror 3.5: Kleopatra 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. ZyWALL 1050 User’s Guide...
Page 821: Figure 583 Konqueror 3.5: Settings Menu
4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL 1050 User’s Guide...
Page 822 Appendix D Importing Certificates ZyWALL 1050 User’s Guide...
Page 823: Appendix E Open Software Announcements
No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 824 The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty. ZyWALL 1050 User’s Guide...
Page 825 Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. ZyWALL 1050 User’s Guide...
Page 826 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ZyWALL 1050 User’s Guide...
Page 827 DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] ZyWALL 1050 User’s Guide...
Page 828 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes bind-9.2.3 software under the Internet Software Consortium and Nominum License ZyWALL 1050 User’s Guide...
Page 829 THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY ZyWALL 1050 User’s Guide...
Page 830 "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). ZyWALL 1050 User’s Guide...
Page 831 (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and ZyWALL 1050 User’s Guide...
Page 832 Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS ZyWALL 1050 User’s Guide...
Page 833 Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. This Product includes libosip2, libgcgi-0.9.5 and gmp-4.1 software under LGPL license. GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 ZyWALL 1050 User’s Guide...
Page 834 License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. ZyWALL 1050 User’s Guide...
Page 835 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the ZyWALL 1050 User’s Guide...
Page 836 GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. ZyWALL 1050 User’s Guide...
Page 837 (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface- ZyWALL 1050 User’s Guide...
Page 838 License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or ZyWALL 1050 User’s Guide...
Page 839 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ZyWALL 1050 User’s Guide...
Page 840 You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. ZyWALL 1050 User’s Guide...
Page 841 License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) ZyWALL 1050 User’s Guide...
Page 842 Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. ZyWALL 1050 User’s Guide...
Page 843 Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY ZyWALL 1050 User’s Guide...
Page 844 Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data. ZyWALL 1050 User’s Guide...
Page 845 Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge. 1.12. "You" (or "Your") ZyWALL 1050 User’s Guide...
Page 846 Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. ZyWALL 1050 User’s Guide...
Page 847 (b) Contributor APIs If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. ZyWALL 1050 User’s Guide...
Page 848 Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Application of this License. ZyWALL 1050 User’s Guide...
Page 849 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or ZyWALL 1050 User’s Guide...
Page 850 License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable ZyWALL 1050 User’s Guide...
Page 851 Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. This Product includes unzip-5.50 and zip-2.3 software under Info-ZIP license ZyWALL 1050 User’s Guide...
Page 852 •Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and binary releases. This Product includes libpcap-0.8.3, libnet-1.1.2.1, net-snmp-5.1.1, libpcap-0.9.4, and openssh- software under BSD license 4.3p2 ZyWALL 1050 User’s Guide...
Page 853 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT ZyWALL 1050 User’s Guide...
Page 854 Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ZyWALL 1050 User’s Guide...
Page 855 (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following ZyWALL 1050 User’s Guide...
Page 856 EVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL 1050 User’s Guide...
Page 857 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NOTE: Some components of the ZyWALL 1050 incorporate source code covered under the Apache License, GPL License, LGPL License, BSD...
Page 858 ZyXEL Communications Corporation at: ZyXEL Technical Support. End-User License Agreement for “ZyWALL 1050” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Page 859 OTHERWISE SHALL BE EQUAL TO THE PURCHASE PRICE, BUT SHALL IN NO EVENT EXCEED THE AMOUNT OF THE PRODUCT. BECAUSE SOME STATES/ COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8.Export Restrictions ZyWALL 1050 User’s Guide...
Page 860 Agreement shall only be effective if it is in writing and signed by both parties hereto. If any part of this License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL 1050 User’s Guide...
Page 862 During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the ZyWALL 1050 User’s Guide...
Page 863 To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/ support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL 1050 User’s Guide...
Page 864 Appendix F Legal Information ZyWALL 1050 User’s Guide...
Page 865: Appendix G Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan China - ZyXEL Communications (Beijing) Corp. • Support E-mail: cso.zycn@zyxel.cn • Sales E-mail: sales@zyxel.cn •...
Page 866 Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 • Fax: +420-241-091-359 • Web: www.zyxel.cz • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk •...
Page 867 Tokyo 141-0022, Japan Kazakhstan • Support: http://zyxel.kz/support • Sales E-mail: sales@zyxel.kz • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz • Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan ZyWALL 1050 User’s Guide...
Page 868 • Support Telephone: +1-800-978-7222 • Sales E-mail: sales@zyxel.com • Sales Telephone: +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 869 • Support E-mail: support@zyxel.es • Sales E-mail: sales@zyxel.es • Telephone: +34-902-195-420 • Fax: +34-913-005-345 • Web: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 •...
Page 870 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) ZyWALL 1050 User’s Guide...
Page 871: Index
FTP access control attacks and NAT Access Point Name, see APN and policy routes 243, 244, 571 and SNMP access users 561, 563 and SSH custom page and Telnet forcing login ZyWALL 1050 User’s Guide...
Page 872 Anomaly Detection and Prevention, see ADP Apache server 494, 495 answer rings Apache-whitespace attack anti-spam 527, 532, 533 action for spam mails Application Layer Gateway, see ALG alerts application order black list 527, 532, 533 ZyWALL 1050 User’s Guide...
Page 873 Denial of Service (DoS) Authentication, Authorization, Accounting servers, see directory traversal AAA server DoS/DDoS authorization server double-encoding false negatives AUX port false positives see also auxiliary interface IIS-backslash-evasion auxiliary interface 182, 224, 675 IIS-unicode-codepoint-encoding when used ZyWALL 1050 User’s Guide...
Page 874 Challenge Handshake Authentication Protocol (CHAP) 225, 627 ZyWALL 1050 User’s Guide...
Page 875 FTP custom signatures 469, 471 use without restart applying connection monitor (in SSL) example connectivity check 192, 200, 205, 214, 223, 330 verifying console port custom.rules file speed customer support contact information ZyWALL 1050 User’s Guide...
Page 876 IP addresses documentation VRID related device High Availability see device HA domain name device introduction Domain Name System, see DNS DHCP 227, 638 DoS (Denial of Service) attacks and DNS servers double-encoding attack and domain name ZyWALL 1050 User’s Guide...
Page 877 VoIP pass through 329, 351 and zones 306, 314 and transport mode asymmetrical routes 312, 313 Ethereal configuration overview Ethernet interfaces global rules basic characteristics prerequisites virtual priority with no physical ports rule criteria ZyWALL 1050 User’s Guide...
Page 878 HyperText Transfer Protocol over Secure Socket Layer, see HTTPS gateway policy, see VPN gateways ICMP Generic Routing Encapsulation, see GRE code datagram length Gigabit Ethernet decoder 488, 494 ports echo global SSL setting flood attack user portal logo portsweep ZyWALL 1050 User’s Guide...
Page 879 DHCP servers 227, 638 emulation auxiliary, see also auxiliary interface encoding backup, see trunks server bandwidth management 227, 236 unicode bridge, see also bridge interfaces unicode-codepoint-encoding attack configuration overview IKE SA default configuration ZyWALL 1050 User’s Guide...
Page 880 IP/MAC binding encryption key (manual keys) exempt list local policy monitor manual keys static DHCP NAT for inbound traffic NAT for outbound traffic IPSec Perfect Forward Secrecy (PFS) active protocol proposal remote policy and certificates ZyWALL 1050 User’s Guide...
Page 881 232, 236 least load first round robin see also trunks L2TP VPN session-oriented configuration overview spillover configuring in Windows 2000 weighted round robin configuring in Windows XP local user database Default_L2TP_VPN_Connection log messages Default_L2TP_VPN_Connection example ZyWALL 1050 User’s Guide...
Page 882 72, 73 port triggering Message Digest 5, see MD5 port triggering, see also policy routes messages traversal trigger port, see also policy routes warning NBNS 193, 215, 223, 228, 360 metrics, see reports ZyWALL 1050 User’s Guide...
Page 883 163, 164 order of feature application padding original setting (IDP) PAP (Password Authentication Protocol) 225, 627 OSI (Open System Interconnection) 453, 457 password OSI level-4 Password Authentication Protocol (PAP) 225, 627 OSI level-7 ZyWALL 1050 User’s Guide...
Page 884 Public-Key Infrastructure (PKI) public-private key pairs POP2 POP3 pop-up windows port forwarding, see virtual servers port groups 182, 186 and Ethernet interfaces and physical ports query view (IDP) 462, 466 representative interfaces Quick Start Guide port mapping ZyWALL 1050 User’s Guide...
Page 885 FTP, see FTP 613, 616, 622 prerequisites see also service control see also ALG Telnet to-ZyWALL firewall WWW, see WWW remote network remote user screen links replay detection safety warnings reports same IP anti-spam scan attacks anti-virus ZyWALL 1050 User’s Guide...
Page 886 Session Initiation Protocol, see SIP session limits 307, 316 GetNext session monitor (L2TP VPN) Manager managers sessions sessions usage 155, 160 network components severity (IDP) 458, 462 SHA1 Trap shell scripts traps and users versions ZyWALL 1050 User’s Guide...
Page 887 ZyWALL 55, 56 user screens system requirements streaming protocols management WINS strict source routing SSL application object file sharing stub area file sharing application STUN remote user screen links and ALG summary ZyWALL 1050 User’s Guide...
Page 888 488, 494 troubleshooting 717, 721 decoy portscan packet flow distributed portscan truncated-address-header attack flag bits truncated-header attack port numbers truncated-options attack portscan portsweep truncated-timestamp-header attack trunk SYN (synchronize) trunks 182, 231 SYN flood and ALG window size ZyWALL 1050 User’s Guide...
Page 889 Ext-User URI (Uniform Resource Identifier) Ext-User (type) usage groups, see user groups 155, 158 Guest (type) flash lease time memory 155, 159 Limited-Admin (type) onboard flash lockout sessions 155, 160 ZyWALL 1050 User’s Guide...
Page 890 ID (VR ID) file infector VRRP groups life cycle and interfaces macro and to-ZyWALL firewall mutation authentication polymorphic role (desired) scan see also VRRP VLAN advantages and MAC address VLAN interfaces 182, 210 and Ethernet interfaces ZyWALL 1050 User’s Guide...
Page 891 Wizard Setup worm 440, 464 attacks and address groups and address objects and authentication method objects and certificates and zones see also HTTP, HTTPS 141, 651 www.zyxel.com zones 108, 261 and firewall 306, 314 and FTP ZyWALL 1050 User’s Guide...
Page 892 Index ZyWALL 1050 User’s Guide...

ZyXEL Communications ZyWALL 1050 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

List of Figures

List of Tables

Getting Started

Part I: Getting Started

Chapter 1 Introducing the Zywall

Chapter 2 Features and Applications

Chapter 3 Web Configurator

Chapter 4 Wizard Setup

Chapter 5 Configuration Basics

Chapter 6 Tutorials

Chapter 7 Status

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL 1050

Summary of Contents for ZyXEL Communications ZyWALL 1050