Page 1 ZyWALL 2WG Security Appliance Support Notes Version 4.03 Sep. 2007...
Page 2: Table Of Contents
Check Point with ZyWALL VPN Tunneling ...151 FortiNet with ZyWALL VPN Tunneling ...185 Remote Access VPN Scenario ...198 Using xAuth for User Authentication ...198 ZyXEL VPN Client to ZyWALL Tunneling ...200 Content Filter Application...209 All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 3 A24. What DDNS servers does the ZyWALL support?...226 A25. What is DDNS wildcard? ...226 A26. Does the ZyWALL support DDNS wildcard?...226 A27. Can the ZyWALL NAT handle IPSec packets sent by the VPN All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 4 C08. Can I try the Content Filtering service for free? How long is the free trial period of Content Filtering service?...235 D. Security Service Activation and UpdateFAQ...235 D01. Why do I have to register? ...235 All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 5 E12. How many policies can I create?...240 E13. Can I create my own categories? ...240 E14. Can I override (block or allow) certain URLs regardless of the rating? ...240 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 6 F14. What VPN protocols are supported by ZyWALL? ...250 F15. What types of encryption does ZyWALL VPN support?...250 F16. What types of authentication does ZyWALL VPN support? ...250 F17. I am planning my ZyWALL-to-ZyWALL VPN configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 7 G13. What if customers don't have access to CA service, but would like to use PKI function? ...259 G14. How can I have Self-signed certificate for ZyXEL appliance?...259 G15. Can I create self-signed certificates in addition to the default one?...259 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 8 H16. By turning off the broadcast of SSID, can someone still sniff the SSID?...263 H17. What is 802.1x? ...264 H18. Can I use WiFi access when I plug a 3G wireless card in the PCMCIA slot ? ...264 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 9: All Contents Copyright (C) 2006 Zyxel Communications Corporation
LAN users. Not only the mobility, you could also use ZyWALL 2WG as your WAN backup in the small office or SOHO. You could further choose a certain load balancing mechanism to perform dual WAN access.
Page 10: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Utilize 3G card to get Internet access 1). Plug the 3G card to ZyWALL 2WG's card slot before powering on the ZyWALL 2WG device. 2). Login the GUI. After the system boots up, you can see the 3G card information on the home page. Make sure there is no "Error"...
Page 11 "Nailed-up" option as shown in the figure above, the system will automatically dial up the 3G Internet access even if WAN1 is available. Then you will see the process in logs as following. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 12 4) If dialed up successfully, you can see the GUI home page as shown below. You will get the "WAN2 connection is up" and "3G card's signal strength" messages in the latest alerts. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 13 (four modes available: 802.11b only, 802.11g only, 802.11b+g, 802.11a only), channel ID, super mode, RTS/CTS, fragmentation, output power(four options: 100%, 50%, 25%, 12.5%) and roaming. ZyWALL 2WG allows you to configure up to 8 SSID profiles. Choose the SSID profile you want to use and click Apply button.
Page 14 Furthermore, these clients will also have to pass the security control described below. a. Wireless security level to "WPA-PSK"with key "12345678". b. Only allow the PC's with MAC of "00:A0:C5:11:22:33", "00:A0:C5:11:22:44", and "00:A0:C5:11:22:55" are allowed to associate the wireless network. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 15 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 16 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 17 ZyWALL 2WG Support Notes After you have configured the Security and MAC filter profiles, you can choose them in the main page of wireless card setting as shown All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 18: All Contents Copyright (C) 2006 Zyxel Communications Corporation
If a router mode firewall is inserted into existing network, user may need to reassign the IP of all servers and hosts and related setting of applications. However, it may be a huge task to administrators. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 19 In the following section, we will explain how to configure ZyWALL as bridge firewall. Therefore, all hosts and servers can keep using the same IP as that of current network. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 20 Admin can activate the rule by clicking the ‘N’ as following picture. Then the rule will be activated right away. Step2. To change the device mode, go to MAINTENANCE >> Device Mode. Select ‘Bridge’ and All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 21 (like 210.242.82.X/24 in this example). In this way, admin doesn’t need to change his PC’s IP address when he wants to access Internet and ZyWALL’s web GUI at the same time.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 22 IP segment 210.242.82.0/24). Edit the firewall rule via Firewall >> Rule Summary and with packet direction: DMZ to LAN. And enter 210.242.82.2 as the source address and 210.242.82.31~34 as destination address. And then select the service and set the action for ‘Matched Packet’ to ‘BLOCK’. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 23 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 24: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Select the correct encapsulation type from the drop-down menu. The wizards will requests related information needed. These fields vary depending on what you select in the Encapsulation field. Fill them in with the information exactly as given by the ISP or network administrator. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 25: All Contents Copyright (C) 2006 Zyxel Communications Corporation
ZyWALL supports DHCP server for LAN ports, but also 1. When choosing DHCP setting as ‘None’, the LAN will NOT assign IP address to the associated hosts. Client PCs need to configure IP address manually. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 26: All Contents Copyright (C) 2006 Zyxel Communications Corporation
RFC 1631, and we call this feature as 'Multi-NAT'. For more information on IP address translation, The IP Network Address Translator (NAT) please refer to RFC 1631, All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes outside...
Page 27 In Many-to-Many Overload mode, the ZyWALL maps the multiple ILA to shared IGA. Many One to One In Many One to One, the ZyWALL maps each ILA to unique IGA. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 28 NAT mapping rules clearly in ADVANCED -> SUA/NAT -> Address Mapping, so that internal PCs can access Internet and internal servers can be accessed by remote uses on Internet. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 29 Step 1. Applying NAT in WAN Interface You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup. NETWORK -> WAN or ADVANCED -> NAT -> NAT Overview All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 30 Field Network Address Translation Step 2. Configuring NAT Address Mapping To configure NAT, go to ADVANCED -> NAT -> Address Mapping All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes Options Description Set to 'Full Feature' if there are multiple IP addresses Full Feature given by ISP and can assigned to your clients.
Page 31 Server allows us to specify multiple servers, of different types, to other machines behind NAT on the LAN. Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.1.1.1). All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 32 Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. When we have configured all four rules in the rule summary page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 33 LAN to forward the incoming connections. If you would like to only allow traffic going to the internal server, you should specify server's private IP address in the field of the destination IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 34 IP address. In this case it is better to use Many One-to-One or One-to-One NAT mapping types, thus each user login to the server is using a unique global IP address. The following figure illustrates this. One rule configured for using Many One-to-One mapping type is shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 35: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Additionally, chances are that you would like to grant higher bandwidth for some body special that is using specific IP address in your network. All of these are reasons why we need bandwidth management. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 36 Bandwidth Borrowing. For classes that need more bandwidth even after bandwidth borrowing, users can also apply Maximize Bandwidth Usage from the interface. Using BWM All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 37 Go to ADVANCED->BW MGMT->Class Setup, select the interface on which you would like to setup the Class tree. Click the radio button besides the Root Class, then press 'Add Sub-Class' All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 38 Enter the IP address of destination that meats this class. Address Destination Enter the destination subnet mask. Subnet Mask Destination Enter the destination port number of the traffic. Port All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 39 Class 2: Budget = 800kbps, Dest. IP = FTP Client B’s IP, Service = FTP, Priority = 3, enable Borrow Class 3: Budget = 800kbps, Dest IP = IPTV Client’s IP, Protocol = UDP. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 40 We add a service and allocate 400kbps for FTP and destined to FTP Client A. Select the Service as FTP from drop-down list. Input Client A’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 41 Step3. Add another service and allocate 800kbps for FTP and destined to FTP Client B. Select the Service as FTP from drop-down list. Input Client B’s IP address as Destination IP Address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 42 Select the Service as Custom from drop-down list and set Protocol IP as 17 (UDP). Input IPTV user’s IP address as Destination IP Address. Step 5. Three classes are created for FTP Client A, B & IPTV user as below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 43: All Contents Copyright (C) 2006 Zyxel Communications Corporation
If ZyWALL is used as Internet gateway and public IP address is assigned on ZyWALL’s WAN interface. ZyWALL uses this public WAN IP address for terminating the VPN tunnels from remote VPN gateways. In following example, local VPN gateway (ZyWALL) uses a static public IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 44: All Contents Copyright (C) 2006 Zyxel Communications Corporation
ISP. Since ZyWALL has no idea about its WAN IP address before it is assigned, it is difficult/impossible to use WAN IP Address for My Address in Gateway Policy. To overcome this problem, Dynamic DNS can be used to resolving the VPN gateway. When new IP All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 45 Therefore the peer VPN gateway can resolve ZyWALL’s IP address to make a VPN tunnel. In following example, local VPN gateway (ZyWALL) uses a dynamic WAN IP address (PPPoE with dynamic IP assignment). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 46: All Contents Copyright (C) 2006 Zyxel Communications Corporation
2) Use an IPSec gateway for both IPSec (VPN) and NAT (Internet Access). However, in some situation, it is inevitable to locate IPSec gateway in public IP address and it must be All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 47 3) On ZyWALL, enable “NAT Traversal” no matter if the front NAT router supports NAT Traversal (IPSec pass-through) or not. With this option enabled, ZyWALL can detect if it is placed behind NAT All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes Configuration on Peer VPN gateway VPN->VPN Rule (IKE) on ZyWALL...
Page 48: All Contents Copyright (C) 2006 Zyxel Communications Corporation
(Dept.1) for business sensitive application. PC2 belongs to other group (Dept.2) and need to access Dept.2 . Dept. 1 Dept. 2 Dept. 1 Dept. 2 All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes Traffic (PC1 <– > Dept1) IPSec IPSec IPSec Tunnel...
Page 49 For detailed usage of “Pre-Shared Key” and “Certificate”, please refer to XXX. In this example, “Pre-Shared Key” is used and the string “12345678” is used as example. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes 210.242.82.70 210.242.82.35...
Page 50 7) Under “IKE Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 8) Click on “Apply” to save profile 9) The IKE rule will be configured as below: All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 51 If you need to change to other pre-defined Gateway Policy, you can select from the drop-down list. 13) Under “Local Network”, choose “Subnet” and input “192.168.71.0” and “255.255.255.0” for Dept1 in this example. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 52 15) Under “IPSec Proposal”, select the Encryption and Authentication Algorithm. Note the configuration must be consist on both ZyWALLs (GW1 & GW2) 16) Click on “Apply” to save profile 17) The new Network Policy, PC1-to-Dept1 is added to the Gateway Policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 53: All Contents Copyright (C) 2006 Zyxel Communications Corporation
This is usually done using security certificates and a Public Key Infrastructure (PKI). If certificate (Digital Signatures) is used for authentication, there are five available types of identity: IP, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 54: All Contents Copyright (C) 2006 Zyxel Communications Corporation
ZyWALL has the feature to sign itself a so-called self-signed certificate which can be imported to other ZyWALL for authentication. This feature allows users to use certificate without CA. The certificate must be exchanged and imported into Trusted Remote Hosts before making a VPN connection. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 55 To use self-signed certificate, go to ZyWALL CERTIFICATES->My Certificates and export ZyWALL’s certificate. 1) Press “Export” to save the ZyWALL self-signed certificate to local computer in Binary X.509 format. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 56 Notepad) and then save to you local computer in PEM (Base-64) Encoded Format. Then import the certificate to the other ZyWALL VPN gateway. Go to the other ZyWALL and click “Import” button under CERTIFICATES->Trusted Remote Hosts Select the certificate from local computer. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 57: All Contents Copyright (C) 2006 Zyxel Communications Corporation
This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. With online enrollment, ZyWALL firstly create certification request locally, then send certification request to trusted CA (Certificate Authority) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 58 CA server's certificate will be used to protect the data. You may need to access CA server's WEB interface or contact the administrator to get CA's certificate. Then you can go to SECURITY->CERTIFICATES->Trusted CAs to import the downloaded certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 59 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. 8. Input user name and password if necessary. 9. Then click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 60 It may take one minutes to complete the whole process. After CA server agrees to issue the corresponding certificate, you will find a newly enrolled certificate in My Certificates. Step 3. Create certificate request and enroll certificate request on ZyWALL B All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 61 6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/ 7. Choose the previously downloaded CA server's certificate from the drop down list. 8. Input user name and password if necessary. 9. Then click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 62 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" 9. Peer ID type= "ANY" 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 63 ZyWALL 2WG Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 64 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 65 ZyWALL 2WG Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 66: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Step 3. Create certificate request on ZyWALL B. Step 4. Enroll the certificate request to Windows 2000. Step 5. Setup VPN rule on ZyWALL A Step 6. Setup VPN rule on ZyWALL B. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 67 ZyWALL A ZyWALL B LAN 2 LAN: 10.1.133.1 LAN: 192.168.2.1 10.1.133.0/24 192.168.2.0/24 WAN: 192.168.1.35 WAN: 192.168.1.36 Step 1. Create Certificate Reques on ZyWALL A 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 68 3. Wait for 1-2 minutes until "Request Generation Successful" displays. During this period, ZyWALL is working on creation of private, public key pair, and certificate request. 4. After creating certificate request, ZyWALL would return Successful Message. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 69 1. Copy the content of Certificate in PEM Encoded Format, by selecting all of the content, then right click your mouse, and select Copy. Keep your copy in clipboard for later paste. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 70 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 71 ZyWALL 2WG Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 72 ZyWALL 2WG Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 73 ZyWALL 2WG Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 74 ZyWALL 2WG Support Notes 6. Right click your mouse, then paste the certificate request you get in step 2.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 75 ZyWALL 2WG Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 76 ZyWALL 2WG Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 77 ZyWALL 2WG Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 78 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 79 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 80 ZyWALL 2WG Support Notes After import CA's certificate, you will get this display. Step 3. Create Certificate Reques on ZyWALL_B 1. Go to VPN->My Certificates -> Click Create button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 81 Unit, Organization, Country are optional fields, you are free to either enter them or not. Finally, specify the key length and select Create a certification request and save it locally for later manual enrollment. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 82 4. After creating certificate request, ZyWALL would return Successful Message. 5. In My Certificates tab, you can get a new entry in grey color. This is the Certificate Request you just created. Click Details to export the request. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 83 CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com. 2. Issue the URL to access the CA server, type in User Name/Password/Domain fields. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 84 ZyWALL 2WG Support Notes 3, Select Request a Certificate, then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 85 ZyWALL 2WG Support Notes 4. Choose Advanced request, the press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 86 ZyWALL 2WG Support Notes 5. Choose "Submit a certificate request using a base64...", then press Next> button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 87 ZyWALL 2WG Support Notes 6. Right click your mouse, then paste the certificate request you get in step 4.1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 88 ZyWALL 2WG Support Notes 7. Click "Download CA certification path" 8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 89 ZyWALL 2WG Support Notes 9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export... 10. Certificate Export Wizard would be popped up, then press Next>. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 90 ZyWALL 2WG Support Notes 11. Choose DER encoded binary X.509(.CER), then press Nxet>, All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 91 ZyWALL 2WG Support Notes 12. Specify the path to store your exported Certificate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 92 13. Click Finish. 14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button. 15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 93 ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate. Import the saved CA server's certificate. Click Browse... button, and then select the location. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 94 6. Edit Remote: Address Type="Subnet Address", Starting IP Address="192.168.2.0", End IP Address/Subnet Mask="255.255.255.0" 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.35" All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 95 ZyWALL 2WG Support Notes 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.36" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 96 ZyWALL 2WG Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 97 7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list. 8. Fill in My IP address= "192.168.1.36" 9. Peer ID type= "ANY". 10. Secure Gateway Address= "192.168.1.35" 11. Encapsulation Mode="Tunnel" 12. Leave other options as default. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 98 ZyWALL 2WG Support Notes 13. You can check detailed settings by clicking Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 99: All Contents Copyright (C) 2006 Zyxel Communications Corporation
5) When IP is selected as ID Type, the Content must be in the format of X.X.X.X (e.g. 210.242.82.70) 6) When DNS/E-mail are selected as ID Type, the same string must be configured on both entities. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 100: All Contents Copyright (C) 2006 Zyxel Communications Corporation
In this support note, we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 101 B are continuous, we merge them into one single rule by including these two segments in Remote section. If by any chance, the two segments are not continuous, we strongly recommend you to setup different rules for these segments. 1. Go to SECURITY->VPN->Press Add button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 102 IKE phase 2 negotiation. You can set more detailed configuration by pressing Advanced button. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 103 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 104 To avoid such situation, we need two separate rules to cover the LAN segment of branch office A and headquarter. This rule is for branch office B to access headquarter's LAN and Branch A's LAN. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 105 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 106 VPN rule in headquarter. 3. Setup VPN in Headquar er t 1. The correspondent rule for Branch_A in headquarter All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 107 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 108 ZyWALL 2WG Support Notes 2. The correspondent rule for Branch_B All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 109 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 110: Nat Over Ipsec On Zynos
IPSec VPN basing on this network topology is not possible since it will cause a routing problem. You are required to manually All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 111 WAN interfaces according to the application scenario and network topology you planned. Configure both of the ZyWALL’s LAN and WAN interface with the proper IP address and network mask. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 112 “My Address” on ZyWALL 1 with IP address 172.16.4.254 and the “Primary Remote Gateway” as 172.16.5.254. Assign “My Address” on ZyWALL 2 with IP address 172.16.5.254 and the “Primary Remote Gateway” as 172.16.4.254. Gateway Policy on ZyWALL 1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 113 ZyWALL 2WG Support Notes Gateway Policy on ZyWALL 1 Click “Apply” in order to complete the settings. Repeat the steps for ZyWALL 2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 114 STEP 3: Create the Network Policy (Phase 2) on the ZyWALL 1 and ZyWALL 2 After completing the settings for the “Gateway Policy”, click “Add Network Policy” to add a network All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 115 In the “Virtual Starting IP Address” field, we specify the new IP address after NAT. In the figure above, the Virtual IP address is specified starting from 172.16.2.1 to 172.16.2.254 on ZyWALL 1. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 116 ZyWALL 2WG Support Notes On ZyWALL 1, the remote network will be changed to 172.16.3.0. Click “Apply” in order to complete the setting. Repeat the steps for ZyWALL 2 in order to configure Network Policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 117 ZyWALL 2WG Support Notes On ZyWALL 2, the Virtual IP Addresses starts from 172.16.3.1 to 172.16.3.254. STEP 4: Establish the IPSec VPN Tunnel Connection All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 118 STEP 5: Validate the functionality of NAT over IPSec by PING command Once the VPN tunnel is established, we can ping the following hosts to ensure the NAT function is work correctly. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 119: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Ping the remote host with virtual IP address that’s located on the remote network. Never lost your VPN connection (IPSec High Availability) 1. Setup ZyWALL VPN with high availability All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 120 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes WAN2...
Page 121 8. The remaining VPN setting is the same as pervious steps to complete all settings. 9. Please remember to setup a corresponding VPN rule in central office’s firewall for building up the VPN tunnel from WAN2 to remote office’s firewall (ZyWALL2 Plus). All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 122 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 123: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Access control in VPN tunnel application can be enforced via Firewall feature. Switch to Security>Firewall menu to configure the traffic from VPN or to VPN access control rule. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 124 192.168.2.33 to access local LAN subnet 192.168.1.0/24. The default VPN to LAN traffic is permit and we have to change the VPN to LAN access control rule in rule summary sub menu. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 125 Click the Insert button to insert a new rule. Edit the source and destination address as 192.168.2.33 and 192.168.1.0/255.255.255.0 All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 126 The service type is Any to block all kind of traffic from 192.168.2.33 to access LAN subnet and Action for Matched Packets is Drop and then click apply to save and activate the configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 127 We can see a new rule had been configured and showed in the rule summary page. This will achieve our goal to block all traffic from VPN remote host 192.168.2.33 to access the LAN subnet. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 128: How To Configure Web Filtering Rule Over Vpn - Content Filter128
The traffic decrypted from VPN tunnel and send to internet can be applied the web filtering rule after enable the content filter for traffic that matches IPSec policy. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 129 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 130: All Contents Copyright (C) 2006 Zyxel Communications Corporation
10. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 131 14. Secure Gateway IP Addr is the SonicWALL's WAN IP address. In this example, you should type 172.22.1.251 IP address on Remote Gateway text box. 15. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 132 Algorithm to MD5, Key Group to DH1, and then press Apply button on this page. 17. You will see an IKE rule on your VPN page, press L/R button to edit your IPSec rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 133 ZyWALL 2WG Support Notes 18. Check Active check box and give a name to this policy. 19. On Gateway Policy Information, you should choose ToSonicWALL IKE policy for your IPSec rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 134 22. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 135 Go to VPN page, check Enable VPN check box, and then press Add button, it will bring up a page which you could do your VPN settings. (Note: You could use VPN Policy Wizard to set up your VPN rules as well.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 136 IPSec Primary Gateway Name or Address text box. Then, enter the key string 12345678 on Shared Secret text box. 3. On Destination Networks, select Specify destination networks below option, and then press Add button. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 137 Encryption to DES and Authentication to MD5. On IPsec(Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then, press OK button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 138 ZyWALL 2WG Support Notes 6. When you finished doing your settings, you will see the following page. 7. When your VPN tunnel is up, you will see the following page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 139: All Contents Copyright (C) 2006 Zyxel Communications Corporation
ZyWALL and NetScreen are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and NetScreen router. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 140 My ZyWALL text box. 5. Secure Gateway IP Addr is the NetScreen's WAN IP address. In this example, you should type 172.22.3.130 IP address on Remote Gateway text box. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes ZyWALL Netscreen WAN: 172.22.1.251...
Page 141 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 142 10. On Gateway Policy Information, you should choose ToNetScreen IKE policy for your IPSec rule. 11. On Local Network, choose Subnet Address for your Address Type. Starting IP Address and Ending IP Address/Subnet are your local site LAN IP addresses. In this example, you should All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 143 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 144 3. Using a web browser, login NetScreen by giving the LAN IP address of NetScreen in URL field. 4. Check your WAN/LAN IP address Click Network -> Interfaces, the trust IP/Netmask used for LAN, the untrust IP/Netmask used for WAN. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 145 ZyWALL's WAN IP address. In this example, select Static IP Address option and set 172.22.3.89 on the text box. Enter the key string 12345678 on Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 146 Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. 7. When you finished doing the settings, you will see an IKE rule on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 147 10. On Security Level settings, choose User Defined option, and choose nopfs-esp-des-sha rule on Phase 2 Proposal. The nopfs-esp-des-sha means no PFS, ESP Protocol, Encryption Algorithm to DES and Authentication Algorithm to SHA1. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 148 13. On your main page, click Policies to set up your policy rules. To choose From to Trust, and To to Untrust (it means from LAN to WAN), and then press New button to edit your policy rules. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 149 16. Select Action to Tunnel, and select ToZyWALLIPSecVPN rule. Check Modify matching bidirectional VPN policy check box, it means that you can create/modify the VPN policy for the opposite direction. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 150 ZyWALL 2WG Support Notes 17. When you finished doing the settings, you will see the policy rules on the page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 151: All Contents Copyright (C) 2006 Zyxel Communications Corporation
NetScreen device. You could check the link states to know your VPN tunnel is up or down. Check Point with ZyWALL VPN Tunneling Setup ZyWALL VPN Setup Check Point VPN All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 152 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes Check Point WAN: 172.22.2.58...
Page 153 5. Secure Gateway IP Addr is the remote PC’s IP address. In this example, you should type 172.22.2.58 IP address on Remote Gateway text box. 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 154 8. After you press the Apply button, you will see an IKE rule on this page, press L/R button to edit your 9. Check Active check box and give a name to this policy. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 155 Ending IP Address/Subnet are your remote site LAN IP addresses. In this example, you should type 192.168.2.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 156 Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. 14. After you press the Apply button, you will see the following page. 2. Setup CheckPoint VPN I. Setup Network Objects All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 157 5. If your check point object is a Check Point Host, select your object and click the right button on your mouse, then choose Convert To Gateway to change its settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 158 6. On General Properties, the IP Addrrss field is the WAN IP of your PC. In this example, you should type 172.22.2.58 IP address on the text box. On Check Point Products settings, check VPN check box here. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 159 ZyWALL 2WG Support Notes 7. On Topology settings, you should see two interfaces of IP settings here if your PC has two network cards. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 160 Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 161 ZyWALL 2WG Support Notes II. Setup Interoperable Device 10. On the main menu, click Manage -> Network Objects. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 162 ZyWALL 2WG Support Notes 11. You will see the network objects window, press new button and select Interoperable Device. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 163 12. On General Properties settings, give a name and an IP address for the Interoperable Device. In this example, the IP address is ZyWALL’s WAN IP address. 13. On Topology settings, pressing Add button to add a new interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 164 ZyWALL’s WAN port settings. 15. Clicking Topology screen, and choose External (leads out to the internet) for the interface. Then, press OK button to save the settings. 16. Pressing Add button to add another interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 165 18. Clicking Topology screen, choose Internal (leads to the local network) and Network defined by the interface IP and Net Mask for the interface, then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 166 ZyWALL 2WG Support Notes 19. Pressing OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 167 ZyWALL 2WG Support Notes III. Setup Networks All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 168 20. Selecting Networks object and click the right button of your mouse, and choose New Network. 21. Give a name for your network policy, and set the network IP address to 192.168.1.0/24. Then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 169 23. Click VPN communities tab to do the settings. 24. On VPN communities, click New -> Site To Site -> Star 25. On General settings, giving a name for your VPN communities. For example, CheckPoint_ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 170 ZyWALL 2WG Support Notes 26. On Center Gateways settings, press Add button to add a center gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 171 27. If you have already done the previous settings, you should see a central gateway here. Select the gateway, and then press OK button. 28. On Satellite Gateways settings, press Add button to add a remote gateway. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 172 OK button. 30. On VPN Properties settings, select Encryption Algorithm to DES, Authentication Algorithm to MD5 on phase 1, and also select Encryption Algorithm to DES, Authentication Algorithm to SHA1 on phase 2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 173 31. On Tunnel Management, leave the settings to default settings. 32. On VPN routing settings, choose To center, or through the center to other satellites, to internet and other VPN targets option. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 174 33. On Shared Secret settings, choose ToZyWALL option, and press Edit button 34. Enter the secret key in the text box, and then press OK button. 35. On Advanced VPN Properties settings, choose Group 1 for Diffie-Hellman settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 175 ZyWALL 2WG Support Notes 36. Press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 176 ZyWALL 2WG Support Notes 37. After you press OK button, you should see a new object here. IV. Setup Security 38. Click Security tab on the right side to do the security settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 177 40. On the default rule, select the source field, and click right button of your mouse, and then choose Add… option to add your network objects. 41. Choosing Net_192.168.1.0 network object, and press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 178 42. To use the same way to add another network object (Net_192.168.2.0) on the source field. 43. On the destination field, please use the same way to add your network objects: Net_192.168.1.0 and Net_192.168.2.0. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 179 45. On VPN Match Conditions, choose Only connections encrypted in specific VPN Communities option, and press Add button to add community to your rule. 46. Choosing CheckPoint_ZyWALL object for your rule, and press OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 180 ZyWALL 2WG Support Notes 47. Clicking OK button to save your settings. 48. On action field, click right button of your mouse, and choose accept option for your rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 181 ZyWALL 2WG Support Notes 49. On the track field, click right button of your mouse, and choose Log option for your rule. 50. If you finished the settings, you should see a rule as below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 182 51. Pressing add button to add another rule which could drop packets if it doesn’t match your VPN rule. V. Install Policy 52. On your main menu, click Policy -> Install.. option to Install your policy. 53. Selecting your policy rule, and press OK button to install the policy. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 183 ZyWALL 2WG Support Notes 54. Waiting few seconds for the installation. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 184 ZyWALL 2WG Support Notes 55. If you install the policy successfully, your VPN tunnel should work normally with your ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 185: All Contents Copyright (C) 2006 Zyxel Communications Corporation
ZyWALL and FortiNet are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are ZyWALL router and FortiNet router. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 186 My ZyWALL text box. 5. Secure Gateway IP Addr is the FortiNet's WAN IP address. In this example, you should type 172.22.2.138 IP address on Remote Gateway text box. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes FortiNet WAN: 172.22.2.138...
Page 187 6. In Authentication Key, enter the key string 12345678 in the Pre-Shared Key text box. 7. Select Negotiation Mode to Main mode, Encryption Algorithm to DES, Authentication Algorithm to MD5, Key Group to DH1, and then click Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 188 Ending IP Address/Subnet are your local site LAN IP addresses. In this example, you should type 192.168.2.0 on Starting IP Address field and then type 255.255.255.0 on Ending IP Address/Subnet field. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 189 13. On IPSec Proposal, select Encapsulation Mode to Tunnel, Active Protocol to ESP, Encryption Algorithm to DES and Authentication Algorithm to SHA1, and then press Apply button on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 190 172.22.1.147 on the text box. Choosing Main mode, and also enter the key string 12345678 on Preshared Key text box. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 191 4. On P1 proposal settings, select Encryption to DES, Authentication to MD5, and DH Group to Group1. Then, press “-” button to delete the second P1 proposal rules. 5. To uncheck the Nat-traversal check box. And then press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 192 8. Give a name for your VPN, for example “ToZyWALL IPSec”, and choose ToZyWALL policy rule for your Remote Gateway. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 193 9. On P2 Proposal settings, select Encryption to DES, and Authentication to SHA1, and also press “-” button to delete the second P2 proposal rules. 10. To uncheck the Enable perfect forward secrecy(PFS) check box. And then, press OK button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 194 11. After you press the OK button, you will see your IPSec rule(Phase2) on this page. 12. On the main page, click Firewall -> Address, and then press Create New button to edit your address rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 195 192.168.2.0/24 IP Range/Subnet for the ZyWALL network. Then, press OK button to save your settings. 16. After you finished the settings, you should see two address rules on this page. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 196 ZyWALL network rule for your destination address rules. 20. On Action settings, choose ENCRYPT option, and choose ToZyWALL IPSec rule for your VPN Tunnel. Then, press OK button to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 197 22. Click VPN -> IPSec -> Monitor, this page displays a table that lists all the VPN rules configured on the FortiNet device. You could check the link states here to know your VPN tunnel is up or down. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 198: All Contents Copyright (C) 2006 Zyxel Communications Corporation
IKE Extended Authentication (Xauth) is a draft RFC developed by the Internet Engineering Task Force (IETF) based on the Internet Key Exchange (IKE) protocol. The Xauth feature is an enhance to the All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 199 Policy”. Select “Server Mode” on the VPN concentrator. There are two kinds of user_identification (username/password) database can be used for authentication: Local_User & RADIUS. (Note that Local_User first then RADIUS if both exist). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 200: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Key which must be configured on the RADIUS. The default (UDP) port number for RADIUS is 1812. If RADIUS server uses a different port number, please configure it correctly. ZyXEL VPN Client to ZyWALL Tunneling All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 201 1. Setup ZyWALL VPN Client 1. Open ZyWALL VPN Client Security Policy Editor 2. Add a new connection named 'ZyWALL' as shown below. 3. Select Connection Security to Secure All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes ZyWALL LAN: 202.132.171.1 WAN: 202.132.170.1...
Page 202 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter ZyWALL's WAN IP address in the following field. The detailed configuration is shown in the following figure. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 203 7. Click My Identity; click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in ZyWALL in the pop out windows. In this example, we enter 12345678. See below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 204 ZyWALL 2WG Support Notes Security Policy Settings: 9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 205 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 206 ZyWALL 2WG Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 207 11. Select Encryption Algorithm to DES and Authentication Algorithm to SHA1, as we configured in ZyWALL VPN Client. 12. Enter the key string 12345678 in the Pre-shared Key text box, and click Apply. See the VPN rule screen shot All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 208 ZyWALL 2WG Support Notes You can further adjust IKE Phase 1/Phase 2 parameters by pressing Advanced button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 209: All Contents Copyright (C) 2006 Zyxel Communications Corporation
With ZyWALL 2 Plus Content Filter service, network administrator can effectively allow/prevent network users from viewing different categories of web sites. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 210 1.2 Using external database content filtering to achieve best result Enable external database content filtering in the CONTENT FILTER -> Categories, with selecting the “Adult/Mature Content”, “Sex Education”, “Pornography”, “Nudity”, “Hacking/Proxy Avoidance”, All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 211 1.3 Demonstrate Content Filtering by an example: Using a browser to browse the nudity website, for example, www.nudistweb.net, it will be blocked and redirected to www.zyxel.com with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 212 IT staff can add this IP address 192.168.10.200 to the list to meet this exclusion requirement. 5. Click on the Apply button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 213 Using a browser to browse “www.phishbank.com”, the attempt will be blocked (because phishbank.com” is added in the forbidden list) and will be redirected to “www.zyxel.com” with “(Website Blocking)” message displayed at the moment. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes “www.
Page 214 IT staff can add this IP address 192.168.10.200 to the list to meet this exclusion requirement. 5. Click on the Apply button to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 215 “Sports/Recreation/Hobbies” and “Financial Services” are selected. Demonstrate Content Filtering by an example: Using a browser to browse the sports website, for example, www.nba.com, it will be blocked and redirected All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 216: All Contents Copyright (C) 2006 Zyxel Communications Corporation
Firmware Upgrade and Management, Intuitive Device and Account Monitoring, Logs and Alarms, One-click VPN and Multiple Administrator, Multiple Domain Management. The following diagram depicts an example of the network environment for using Vantage CNM. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 217 In the following section, we will explain how to add your ZyWALL to Vantage CNM server manually. Note that ZyWALL must be registered on Vantage CNM before it can be managed via Vantage CNM. In All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 218 Step 2. Select Manual Add, and press Next. Select No, for not to associate the device to the device owner now, then press Next. You can register (add) as many devices as you wish at one time via importing XML file to Vantage. In the XML file, you need to define All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 219 After finishing the configuration on Vantage CNM, click on “Finish” to finish the registration of device on CNM and following screen will show up and ZyWALL is added to CNM under folder AAA. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 220 Vantage CNM server. After exchanging the configuration between ZyWALL and Vantage CNM, the Registration Status will change to “Registered”. At this moment, the configuration is synchronized on both device and Vantage CNM. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 221: A01. What Is The Zywall Internet Access Sharing Router
The ZyWALL series is a robust solution complete with everything needed for providing Internet access to multiple workstations through your cable or ADSL modem. It is the most simple and affordable solution for multiple and instant broadband Internet access router with 802.11 wireless support. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 222: A02. Will The Zywall Work With My Internet Connection
PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services using their existing network configuration over the broadband connections. Besides, PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 223: A13. Is It Possible To Access A Server Running Behind Nat From The Outside Internet? If Possible, How
A13. Is it possible to access a server running behind NAT from the outside Internet? If possible, how? Yes, it is possible because ZyWALL delivers the packet to the local server by looking up to a NAT server All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 224: A15. How Do I Used The Reset Button, More Over What Field Of Parameter Will Be Reset By Reset Button
A workaround is to use an alternate path for your upstream path, such as a dial-up connection to an Internet service provider. So, if you can find another way to get your upstream packets to the Internet you will still be able to receive downstream packets via ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 225: A20. My Zywall Can Not Get An Ip Address From The Isp To Connect To The Internet, What Can I Do
IP or utilize BOOTP/DHCP to request an IP address. A22. What is DDNS? The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname, allowing your All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 226: A24. What Ddns Servers Does The Zywall Support
Yes, the ZyWALL's NAT can handle IPSec ESP Tunneling mode. We know when packets go through NAT, NAT will change the source IP address and source port for the host. To pass IPSec packets, NAT must All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 227: A30. What Is The Flow Zywall Handles Inbound And Outgoing Traffic
-> AS -> CF -> BWM Traffic to WAN: -> Firewall -> Policy Route -> Load Balance -> Static Route -> IDP -> AV -> AS -> CF -> BMW -> NAT B. Firewall FAQ All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 228: B03. What Are The Basic Types Of Firewalls
The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 229: B05. Why Do You Need A Firewall When Your Router Has Packet Filtering And Nat Built-In
2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks. 3. Brute-force attacks that flood a network with useless data such as Smurf attack. 4. IP Spoofing All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 230: B07. What Is Ping Of Death Attack
ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 231: B14. Why Does Traffic Redirect/Static/Policy Route Be Blocked By Zywall
ZyWALL. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the LAN traffic redirect and static route. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 232 (A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection can be always under control of firewall. And thus there won't be Triangle Route problem. (B) Deploying your second gateway on WAN side. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 233: B15. How Can I Protect Against Ip Spoofing Attacks
Deny bounce back packet • Allow packets that originate from us Filter rule setup: • Filter Type =TCP/IP Filter Rule • Active =Yes • Destination IP Addr =a.b.c.d All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 234: C05. What Are The Available Security Service Licenses Which Require Additional Purchase And License Activation In Zynos V4.00
V4.00 is a major new release of ZyNOS and it includes the following security services which require license purchase and activation: 1. Anti-Virus + IDP security service 2. Anti-Spam security service 3. Content Filtering security service All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 235: C07. If I Violate The Mappings Described Above, For Example, Using A Silver Icard For Zywall 35 Or Zywall 70, What Will Happen
1. Access firmware and security service updates. 2. Get ZyWALL alerts on services, firmware, and products. 3. Manage (activate, change or delete) your ZyWALL security services online. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes 2 Year...
Page 236: Previous Registration? What's The Advantage Of New Registration Flow Over The Previous Registration Flow
Furthermore, customer is no longer required to manually input the MAC of the device because the MAC will be automatically sent to myZyXEL.com during the registration flow. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes AV+IDP Service...
Page 237: D05. If I Were New To Myzyxel.com, What Are The Required Fields When I Register My Zywall Device On Myzyxel.com
Update Server in IDCs in a globally distributed architecture plus 24x7 monitoring mechanism. This will fully assure the maximum quality of service for all security service subscribers. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 238: E03. Can I Specify The Time Out Value Of The Query Response From Bluecoat Data Center
E03. Can I specify the time out value of the query response from BlueCoat data center? Yes, you can change it on ZyXEL appliance. The default value of the time out is 10 seconds. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 239: E04. Can I Decide Whether To Forward Or Drop The Http Response If The Query To Bluecoat Data Center Is Timed Out
E09. What are the primary features of ZyXEL Content Filtering? - Blocking or Forwarding Policy Management (ZyXEL appliance) - Monitoring (BlueCoat) - Real-time URL Rating (BlueCoat) - Real-Time Reporting (BlueCoat) All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 240: E10. Who Needs Zyxel Content Filtering? Is Zyxel Content Filtering For Small Companies Or For Large Corporations
E14. Can I override (block or allow) certain URLs regardless of the rating? Yes, you can use key word blocking to override ratings in the BlueCoat database. E15. How many URL keywords does ZyWALL support? 64 keywords are supported. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 241: E16. How Do I Keep Database Of Content Filtering Service Updated
E20. How do I locate sites to block? BlueCoat provides category ratings for Web sites. Based on the category rating from BlueCoat, users of ZyXEL appliances then define blocking/forwarding policy in WEB GUI. Do humans review the web sites? All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 242: E22. How Can I Do If I Find A Web Site Is Mis-Categorized
We currently recognizes the following 52 categories: Potential Liable & Objectionable Content Categories · Adult/Mature Content · Alcohol/Tobacco · Gambling · Hacking/Proxy Avoidance Systems · Illegal Drugs · Illegal/Questionable · Intimate Apparel/Swimsuit · Nudity · Pornography All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 243 · Pay to surf sites · Personals & Dating · Political/Activist Groups · Real Estate · Reference · Religion · Restaurants/Dining/Food · Search Engines and Portals · Shopping · Society & Lifestyle · Software Downloads All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 244: E25. Does Bluecoat Have More Than One Data Center? Is The Bluecoat Web Filter Geographically Load Balanced
E28. Can I change the password for BlueCoat service? Yes, you can click Register button from ZyXEL appliance's WEB GUI, then Http://myZyXEL.com web page would popped out. You can change password in user profile. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 245: E29. Which User Name & Password Should I Input For Content Filtering Report
On 3.64, multiple Network Policies (IKE Phase 2) can be mapped to same Gateway policy (IKE Phase 1). ZyWALL counts the Network policies as VPN tunnels. In following example, two network policies, Netowrk_1 & Network_2 are mapped to same gateway All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 246: F02. What Is Vpn
Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 247: F04. What Are Most Common Vpn Protocols
IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 248: F09. What Is Pre-Shared Key
IP address dynamically assigned from ISP, so ZyWALL needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 249: F12. Is My Zywall Ready For Ipsec Vpn
ZyWALL. You then can configure VPN via web configurator. Please download the firmware from our web site. F13. How do I configure ZyWALL VPN? You can configure ZyWALL for VPN via web GUI. ZyWALL 1 supports Web only. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 250: F16. What Types Of Authentication Does Zywall Vpn Support
Secure Gateway IP Address -- This must be a public, routable IP address, private IP is not allowed. That means it can not be in the 10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 - All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 251: F20. What Vpn Software That Has Been Tested With Zywall Successfully
SecGo IPSec for Windows F-Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN, v. 6.90 FreeS/WAN for Linux SSH Remote ISAKMP Testing Page, (http://isakmp-test.ssh.fi/cgi-bin/nph-isakmp-test) Windows 2000, Windows XP IPSec All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 252: F24. How Do I Configure Zywall With Nat For Internal Servers
ZyWALL WAN IP must be configured in NAT Server Table. WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 253: F26. Where Can I Configure Phase 1 Id In Zywall
To keep a tunnel alive, you can check "Nailed-up" option when configuring your VPN tunnel. With this option, the ZyWALL will keep IPSec tunnel up at all time. With “Nailed-up”, the ZyWALL will try to establish whenever tunnel is terminated due to any unknown reason. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 254: F30. Can Zywall Behave As A Nat Router Supporting Ipsec Pass Through And An Ipsec Gateway Simultaneously
Cryptography can be categorized into two types, symmetric and asymmetric cryptography. For symmetric cryptography, the encryption key is the same with the decryption. Otherwise, we the All contents copyright (c) 2006 ZyXEL Communications Corporation. ZyWALL 2WG Support Notes...
Page 255: G03. What Are The Security Services Pki Provides
G04. What are the main elements of a PKI? A PKI includes: A Certification Authority Digital certificates Mathematically related key pairs, each comprising a private key and a public key These elements work within a formal structure defined by: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 256: G07. What Are Public And Private Keys, And What Is Their Relationship
Certification Authorities issue digital certificates that are appropriate to specific purposes or applications. For example, in the Government of Canada Public Key Infrastructure, digital certificates for data confidentiality are different from those used for digital signatures. Certificate Policies All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 257: G09. How Does A Pki Ensure Data Confidentiality
Suppose that the famous Bob and Alice wish to correspond electronically. Bob wants to assure Alice that he originated the electronic message, and that its contents have not been tampered with. He does so by signing the message with a digital signature. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 258 The best thing about all these encryption, decryption, verifying and authenticating processes is that special software does them all transparently, so that Bob and Alice receive the assurances they need without having actually to engage in computations themselves. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 259: G17. Will Certificates Stored In Zyxel Appliance Be Erased If I Reset To Default Configuration File
Users need to enroll My Certificates and import Trusted CA's certificates & Trusted Remote's certificates again. G18. What can I do prior to reset appliance's configuration? You can export Trusted CA's certificates and Trusted Remote's certificates before resetting All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 260: Locally, And Then Import Them Back After Resetting The Configuration File, Can I Reuse The Imported My Certificates
H. Wireless FAQ H01. What are the capability of wireless feature of ZyWALL? In ZyWALL 2WG, it has an embedded wireless to support 802.1x EAP-MD5/TLS/TTLS/PEAP authentication and WEP/WPA/WPA2 for security access control. H02. What is the coverage range of Wireless in ZyWALL? The coverage range typically is 50m~80m indoor, 150m~300m outdoor.
Page 261: H05. What Is Ieee 802.11
802.11g is an extension to 802.11b. 802.11g increases 802.11b's data rates to 54 Mbps and still utilize the the 2.4 GHz ISM. Modulation is based upon OFDM (orthogonal frequency division multiplexing) technology. An 802.11b radio card will interface directly with an 802.11g access point (and vice versa) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 262: H12. What Are The Potential Factors That May Causes Interference Among Wlan Products
H12. What are the potential factors that may causes interference among WLAN products? Factors of interference: 1. Obstacles: walls, ceilings, furniture… etc. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 263: H16. By Turning Off The Broadcast Of Ssid, Can Someone Still Sniff The Ssid
SSID; since the SSID is sent in the clear in the probe message when a client associates to an AP, a sniffer just has to wait for a valid user to associate to the network to All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 264: H18. Can I Use Wifi Access When I Plug A 3G Wireless Card In The Pcmcia Slot
H18. Can I use WiFi access when I plug a 3G wireless card in the PCMCIA slot ? Yes, since ZyWALL 2WG supports an embedded wireless card for 802.11a/b/g wireless access. All contents copyright (c) 2006 ZyXEL Communications Corporation.

ZyXEL Communications ZyWALL 2WG Support Notes

Quick Links

Need help?

Questions and answers

Related Manuals for ZyXEL Communications ZyWALL 2WG

Summary of Contents for ZyXEL Communications ZyWALL 2WG

Table of Contents