Zyxel communications network hardware user manual (2 pages)
Summary of Contents for ZyXEL Communications 10
Page 1
ZyWALL 10/10W/50/100 Internet Security Gateway User’s Guide Versions 3.52 and 3.60 December 2002...
Page 2
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3
ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
ZyWALL 10~100 Series Internet Security Gateway When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.
List of Tables ...xxv Preface ...xxx Overview ... I Chapter 1 Getting to Know Your ZyWALL ... 1-1 The ZyWALL 10/10W/50/100 Internet Security Gateway ... 1-1 Features ... 1-1 Applications for the ZyWALL ... 1-7 Chapter 2 Hardware Installation ... 2-1 Front Panel LEDs and Back Panel Ports ...
Page 8
Chapter 6 LAN Setup...6-1 Introduction...6-1 LAN Port Filter Setup...6-1 TCP/IP and LAN DHCP...6-2 TCP/IP and DHCP Ethernet Setup Menu ...6-5 Wireless LAN ...6-10 Wireless LAN Setup ...6-11 Chapter 7 Wireless LAN Security Setup ...7-1 Levels of Security ...7-1 Data Encryption with WEP...7-1 Network Authentication...7-3...
Page 10
13.2 Types of Firewalls...13-1 13.3 Introduction to ZyXEL’s Firewall ...13-2 13.4 Denial of Service...13-3 13.5 Stateful Inspection ...13-7 13.6 Guidelines For Enhancing Security With Your Firewall ...13-11 13.7 Packet Filtering Vs Firewall ...13-12 Chapter 14 Introducing the ZyWALL Firewall ...14-1 14.1 Remote Management and the Firewall ...14-1 14.2...
Page 11
System Status ... 21-1 21.2 System Information and Console Port Speed... 21-3 21.3 Log and Trace ... 21-5 21.4 Diagnostic ... 21-10 Chapter 22 Firmware and Configuration File Maintenance ... 22-1 Table of Contents ZyWALL 10~100 Series Internet Security Gateway...
Page 12
22.1 Filename Conventions ...22-1 22.2 Backup Configuration...22-2 22.3 Restore Configuration...22-8 22.4 Uploading Firmware and Configuration Files ...22-11 System Maintenance and Information and Remote Management ... VII Chapter 23 System Maintenance & Information...23-1 23.1 Command Interpreter Mode...23-1 23.2 Call Control Support ...23-2 23.3 Time and Date Setting ...23-5 Chapter 24 Remote Management ...24-1...
Page 13
29.4 IPSec Setup ... 29-11 29.5 IKE Setup... 29-17 29.6 Manual Setup ... 29-21 Chapter 30 SA Monitor ... 30-1 30.1 Introduction ... 30-1 30.2 Using SA Monitor ... 30-1 Table of Contents ZyWALL 10~100 Series Internet Security Gateway xiii...
Page 14
Troubleshooting ... X Chapter 31 Troubleshooting ... 1 31.1 Problems Starting Up the ZyWALL ... 1 31.2 Problems with the LAN Interface ... 2 31.3 Problems with the DMZ Interface... 2 31.4 Problems with the WAN Interface... 3 31.5 Problems with Internet Access... 3 31.6 Problems with the Password ...
Page 15
Appendix Q Log Descriptions...69 Appendix R Brute-Force Password Guessing Protection...87 Index... XIII Index ...A Table of Contents ZyWALL 10~100 Series Internet Security Gateway...
Page 16
Figure 5-1 MAC Address Cloning in WAN Setup...5-1 Figure 5-2 Menu 2: Dial Backup Setup ...5-3 Figure 5-3 Menu 2.1 Advanced WAN Setup ...5-5 Figure 5-4 Menu 11.1 Remote Node Profile (Backup ISP) ...5-7 Figure 5-5 Menu 11.2 - Remote Node PPP Options ...5-10 List of Figures...
Page 17
Figure 5-8 Menu 11.4 – Remote Node Setup Script ... 5-14 Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet) ... 5-15 Figure 5-10 Menu 11.5: Remote Node Filter (PPPoE or PPTP) ... 5-15 Figure 6-1 Menu 3: LAN Setup ... 6-1 Figure 6-2 Menu 3.1: LAN Port Filter Setup ...
Page 18
Figure 10-3 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ...10-4 Figure 10-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation...10-6 Figure 10-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation ...10-7 Figure 10-6 Menu 11.3: Remote Node Network Layer Options for PPTP Encapsulation...10-9 Figure 10-7 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) ...10-11...
Page 19
ZyWALL 10~100 Series Internet Security Gateway Figure 12-11 Multiple Servers Behind NAT Example ... 12-16 Figure 12-12 NAT Example 1 ... 12-17 Figure 12-13 Menu 4: Internet Access & NAT Example ... 12-17 Figure 12-14 NAT Example 2 ... 12-18 Figure 12-15 Menu 15.2: Specifying an Inside Server...
Page 21
Figure 22-6 Successful Backup Confirmation Screen... 22-7 Figure 22-7 Telnet into Menu 24.6... 22-9 Figure 22-8 Restore Using FTP Session Example ... 22-10 Figure 22-9 System Maintenance: Restore Configuration ... 22-10 Figure 22-10 System Maintenance: Starting Xmodem Download Screen ... 22-10 List of Figures...
Page 22
Figure 23-5 Call History ...23-4 Figure 23-6 Menu 24: System Maintenance ...23-5 Figure 23-7 Menu 24.10 System Maintenance: Time and Date Setting ...23-6 Figure 24-1 Telnet Configuration on a TCP/IP Network ...24-1 Figure 24-2 Menu 24.11 – Remote Management Control ...24-3 Figure 25-1 Application-based Bandwidth Management Example ...25-3...
Page 23
ZyWALL 10~100 Series Internet Security Gateway Figure 25-10 Bandwidth Management Statistics ... 25-16 Figure 25-11 Bandwidth Manager Monitor ... 25-18 Figure 26-2 IP Routing Policy Setup ... 26-2 Figure 26-4 Menu 25.1: Sample IP Routing Policy Setup ... 26-3 Figure 26-5 IP Routing Policy ... 26-4 Figure 26-6 Menu 3.2: TCP/IP and DHCP Ethernet Setup ...
Page 24
ZyWALL 10~100 Series Internet Security Gateway Figure 29-10 Menu 27.1.1.2: Manual Setup ...29-22 Figure 30-1 Menu 27.2: SA Monitor ...30-1 xxiv List of Figures...
Page 25
Table 6-6 Wireless LAN Setup Menu Fields... 6-12 Table 7-1 Wireless LAN... 7-3 Table 7-2 Wireless LAN 802.1X Authentication ... 7-6 Table 7-3 Authentication RADIUS ... 7-7 Table 7-4 Local User Database ... 7-10 Table 7-5 WLAN MAC Address Filter ...7-11 List of Tables...
Page 26
Table 10-4 Remote Node Network Layer Options Menu Fields...10-7 Table 10-5 Remote Node Network Layer Options Menu Fields...10-9 Table 10-6 Menu 11.1: Remote Node Profile (Traffic Redirect Field) ...10-14 Table 10-7 Traffic Redirect Setup...10-14 Table 11-1 IP Static Route Menu Fields ...11-3 Table 12-1 NAT Definitions...12-1...
Table 29-7 Menu 27.1: IPSec Summary ...29-8 Table 29-8 Menu 27.1.1: IPSec Setup...29-12 Table 29-9 Menu 27.1.1.1: IKE Setup ...29-19 Table 29-10 Active Protocol: Encapsulation and Security Protocol ...29-21 Table 29-11 Menu 27.1.1.2: Manual Setup...29-22 Table 30-1 Menu 27.2: SA Monitor...30-2 Table 31-1 Troubleshooting the Start-Up of your ZyWALL...
Page 29
ZyWALL 10~100 Series Internet Security Gateway Table 31-4 Troubleshooting the WAN interface...3 Table 31-5 Troubleshooting Internet Access ...3 Table 31-6 Troubleshooting the Password ...4 Table 31-7 Troubleshooting Telnet...4 List of Tables xxix...
This manual may refer to the ZyWALL 10/10W/50/100 Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10, 10W, 50 and 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 to see what features are specific to your ZyWALL model.
Page 31
Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem. • For brevity’s sake, we will use “e.g.” as a shorthand for “for instance” and “i.e.” for “that is” or “in other words” throughout this manual. Preface ZyWALL 10~100 Series Internet Security Gateway xxxi...
Page 33
Overview Part I: Overview This part covers Getting to Know Your ZyWALL and Hardware Installation.
This chapter introduces the main features and applications of the ZyWALL. The ZyWALL 10/10W/50/100 Internet Security Gateway The ZyWALL 10/10W/50/100 are the ideal secure gateways for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL 10/10W/50/100 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Physical Features Auto-negotiating 10/100 Mbps Ethernet LAN The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet. Auto-sensing 10/100 Mbps Ethernet LAN The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable. This feature is not available on all models.
ZyWALL 10~100 Series Internet Security Gateway 10/100 Mbps Ethernet WAN The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router. This feature is not available on all models. Backup WAN or Auxiliary The Dial Backup or Auxiliary port can be used in reserve as a traditional dial-up connection when/if ever the broadband connection to the WAN port fails.
ZyWALL 10~100 Series Internet Security Gateway Firewall The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN.
ZyWALL 10~100 Series Internet Security Gateway Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. This feature is not available on all models.
SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network.
LAN port: The auto-negotiating 10/100 Mbps Ethernet LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet. Attach computers that are to be secured from the outside world to this port. These computers will have access to e-mail, FTP and the World Wide Web but incoming connections (from the Internet) are only allowed if the connection is originally initiated from the LAN computer or a firewall rule has been specifically configured to allow access.
ZyWALL 10~100 Series Internet Security Gateway 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. Figure 1-2 VPN Application...
ZyWALL 10~100 Series Internet Security Gateway Chapter 2 Hardware Installation This chapter explains the LEDs and ports as well as how to connect the hardware. Refer to Table 1-1 for a list of hardware features that are specific to individual models.
LAN 10M Green Orange 100M DMZ 10M Green Figure 2-4 ZyWALL 10 Front Panel Table 2-1 LED Descriptions STATUS The ZyWALL is turned on. The ZyWALL is turned off. The ZyWALL is not ready or failed. The ZyWALL is ready and running.
Orange ZyWALL Rear Panel and Connections The following figure shows the rear panels of the ZyWALL. Hardware Installation ZyWALL 10~100 Series Internet Security Gateway Table 2-1 LED Descriptions STATUS The 100M DMZ is not connected. The ZyWALL is connected to a 100Mbps DMZ.
ZyWALL 10~100 Series Internet Security Gateway Figure 2-7 ZyWALL 10W Rear Panel Figure 2-8 ZyWALL 10 Rear Panel This section outlines how to connect your ZyWALL. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
If you have more than one public server, then you must use an external hub. Connect the 10/100M DMZ port on the ZyWALL to a port on the hub using a straight-through Ethernet cable. This feature is not available on all models.
PCMCIA card from the slot. Slide the 64-pin connector end of the PCMCIA wireless LAN card into the slot. See Figure 2-9 for an example. Hardware Installation ZyWALL 10~100 Series Internet Security Gateway A COMPUTER Straight-through Ethernet cable Crossover Ethernet cable...
Do not force, bend or twist the wireless LAN card. Figure 2-9 Inserting the Wireless LAN Card 2.2.7 Connecting the Power to your ZyWALL Connect the female end of the included power adaptor or power cord to the port labeled POWER on the rear panel of your ZyWALL.
ZyWALL 10~100 Series Internet Security Gateway After the ZyWALL is properly set up, you can make future changes to the configuration through telnet connections. To keep the ZyWALL operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment.
Page 55
Initial Setup and Configuration Part II: Initial Setup and Configuration This part covers Initial Setup, SMT Menu 1 General Setup, WAN and Dial Backup Setup, LAN Setup, Wireless LAN Setup, DMZ Setup, and Internet Access.
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. OPERATION KEYSTROKES Move down to...
Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3.
Page 60
MENU TITLE Internet Access Setup DMZ Setup (This feature is not available on all models.) Remote Node Setup Static Routing Setup NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance IP Routing Policy Setup Schedule Setup VPN /IPSec Setup Exit Table 3-2 Main Menu Summary Configure your Internet Access setup (Internet address, gateway, login,...
ZyWALL 10~100 Series Internet Security Gateway 3.2.3 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 3-4 Getting Started and Advanced Applications SMT Menus Initial Setup...
Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “X” for each character you type. Initial Setup ZyWALL 10~100 Series Internet Security Gateway Menu 23 - System Password Old Password= ?
3. While pressing the RESET button, turn the ZyWALL on. 4. Continue to hold the RESET button. The SYS LED will begin to blink and flicker very quickly after about 10 or 15 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.
The ZyWALL supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service. SMT Menu 1 – General Setup ZyWALL 10~100 Series Internet Security Gateway SMT Menu 1 - General Setup Chapter 4...
4.2.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use for example, www.yourhost.dyndns.org and still reach your hostname. General Setup Step 1.
EMAIL Enter your e-mail address. SMT Menu 1 – General Setup ZyWALL 10~100 Series Internet Security Gateway Menu 1.1 - Configure Dynamic DNS Press ENTER to confirm or ESC to cancel: Figure 4-2 Configure Dynamic DNS...
Page 68
Table 4-2 Configure Dynamic DNS Menu Fields FIELD USER Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider.
Figure 5-1 MAC Address Cloning in WAN Setup The following table contains instructions on how to configure your WAN setup. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway WAN and Dial Backup Setup Menu 2 - WAN Setup...
Table 5-1 MAC Address Cloning in WAN Setup FIELD MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field.
[SPACE BAR] to select Yes and then press Setup [ENTER] to go to Menu 2.1: Advanced Setup. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default...
FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Advanced WAN Setup Consult the manual of your WAN device connected to your Dial Backup port for 5.5.1 AT Command Strings For regular telephone lines, the default “Dial”...
AT response string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 2.1 - Advanced WAN Setup Call Control: Dial Timeout(sec)= 60...
Table 5-3 Advanced WAN Port Setup: AT Commands Fields FIELD Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. Table 5-4 Advanced WAN Port Setup: Call Control Parameters FIELD Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping).
Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Edit PPP Options= No Rem IP Addr= 0.0.0.0 Edit IP= No...
Page 76
Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT Options script for the dial backup remote node (Menu 11.4 - Remote Node Script). See section 5.10 for more information. Telco Option Allocated Enter the maximum number of minutes that this remote node may be Budget called within the time period configured in the Period field.
Enter the time period (in hours) for how often the budget should be reset. For example, to allow calls to this remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Standard PPP. Compression Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. 5-10 Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL:...
Enter your WAN IP address here if you know it (static). This is the address assigned to your local ZyWALL, not the remote router. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0...
“Press ENTER to Confirm...” to save your configuration and return to menu 11, or press [ESC] at any time to cancel. 5.10 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyWALL provides a script facility for this purpose.
Page 81
60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway 5-13...
Active= No Set 1: Expect= Send= Set 2: Expect= Send= Set 3: Expect= Send= Set 4: Expect= Send= Figure 5-8 Menu 11.4 – Remote Node Setup Script The following table describes each field in Menu 11.4 – Remote Node Setup Script. Table 5-7 Remote Node Script Menu Fields FIELD Active...
Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet) Figure 5-10 Menu 11.5: Remote Node Filter (PPPoE or PPTP) WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter...
LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. LAN Setup ZyWALL 10~100 Series Internet Security Gateway available on the ZyWALL 10W and 100 models. Menu 3 - LAN Setup 1.
TCP/IP and LAN DHCP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 6.3.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: 1.
However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: LAN Setup ZyWALL 10~100 Series Internet Security Gateway 192.168.1.2 - 192.168.1.32; 192.168.1.65 - 192.168.1.254 255.255.255.0 192.168.1.1 (ZyWALL LAN IP Address)
- it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed Table 6-2 Private IP Address Ranges 10.0.0.0 — 10.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 — 192.168.255.255...
ZyWALL 10~100 Series Internet Security Gateway information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255.
Figure 6-5 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Configuration: TCP/IP Setup:...
Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. LAN Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION DESCRIPTION EXAMPLE Server 192.168.1.33...
FIELD RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are: Both, In Only, Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group.
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. LAN Setup ZyWALL 10~100 Series Internet Security Gateway Menu 3.2.1 - IP Alias Setup IP Alias 1= No...
AP, it might not know that the other station is already using the wireless medium. When these two stations send data at the same time, it might collide when arriving simultaneously at the AP. The collision will almost certainly result in a loss of messages for both stations. 6-10 LAN Setup...
WEP is enabled. See section 7.2 for more information about configuring WEP data encryption. Wireless LAN Setup Use menu 3.5 to set up your ZyWALL as the wireless access point. LAN Setup ZyWALL 10~100 Series Internet Security Gateway Figure 6-8 RTS Threshold 6-11...
See section 7.2 for instructions on WEP and section 7.5 for instructions on configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 97
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The ZyWALL LAN Ethernet and wireless ports can transparently communicate with LAN Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION each other (transparent bridge). EXAMPLE...
WEP key for data encryption and decryption. For wireless LAN setup, refer to section 6.6. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Wireless LAN Security Setup available on the ZyWALL 10W and 100 models.
ZyWALL 10~100 Series Internet Security Gateway Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. In order to configure and enable WEP encryption; click Advanced, Wireless and the Wireless tab to the display the Wireless LAN screen.
If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal digits ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters Key 1 to (ASCII string) or 26 hexadecimal digits ("0-9", "A-F") preceded by 0x for each key.
• Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your ZyWALL acts as a message relay between the wireless client and the network RADIUS server.
Otherwise, no traffic is allowed. 7.3.4 Enable EAP Authentication on Your ZyWALL Click Advanced, Wireless and the 802.1X tab to the display the Wireless LAN 802.1X Authentication screen. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway...
Figure 7-4 Wireless LAN 802.1X Authentication The following table describes the fields in this screen. Table 7-2 Wireless LAN 802.1X Authentication FIELD Select Force Authorized, Force UnAuthorized or Auto from the drop-down list Authentication Control box. Select Auto to authenticate all wireless clients before they can access the wired network.
ZyWALL. Server Address Enter the IP address of the external authentication server in dotted decimal notation. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Figure 7-5 Authentication RADIUS Table 7-3 Authentication RADIUS DESCRIPTION EXAMPLE 10.11.12.13...
RADIUS server. Click Advanced, Wireless and the Local User Database tab to the display the following screen (some of the screen’s blank rows are not shown). Table 7-3 Authentication RADIUS DESCRIPTION EXAMPLE 1812 10.11.12.13 1813 Wireless LAN Security Setup...
MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Click Advanced, Wireless and the MAC Filter tab to the display the Wireless LAN MAC Filter screen. 7-10 Table 7-4 Local User Database DESCRIPTION...
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are MAC Address allowed or denied access to the ZyWALL in these address fields. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Figure 7-7 WLAN MAC Address Filter Table 7-5 WLAN MAC Address Filter DESCRIPTION...
Page 110
ZyWALL 10~100 Series Internet Security Gateway Table 7-5 WLAN MAC Address Filter FIELD DESCRIPTION Click Apply to save these settings back to the ZyWALL. Click Reset to start this screen afresh. 7-12 Wireless LAN Security Setup...
This chapter describes how to configure the ZyWALL 100’s DMZ using Menu 5: DMZ Setup. Introduction The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. This feature is not available on all models. Figure 8-2 Menu 5.1: DMZ Port Filter Setup TCP/IP Setup 8.3.1 IP Address For more detailed information about RIP setup, IP Multicast and IP alias, please refer to the LAN chapter.
[SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 5.2.1 - IP Alias Setup, as shown next. DMZ Setup ZyWALL 10~100 Series Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup:...
Press Space Bar to Toggle. Refer to Table 6-5 for instructions on configuring IP Alias parameters. Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A...
ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Internet Access ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard...
Page 116
Table 9-1 Menu 4: Internet Access Setup Menu Fields FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
Idle Timeout This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server. Internet Access ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A...
9.1.4 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius).
See the firewall chapters for more information on the firewall. Internet Access ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION originates from the Internet.
Remote Node Setup This chapter shows you how to configure a remote node. Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ Enter Node # to Edit: Figure 10-1 Menu 11 Remote Node Setup Chapter 10 10-1...
My Password= N/A Server IP= N/A Press ENTER to Confirm or ESC to Cancel: Figure 10-2 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD Rem Node Enter a descriptive name for the remote node. This field can be up Name to eight characters.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 10.2.2 PPPoE Encapsulation Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Table 10-1 Fields in Menu 11.1 DESCRIPTION EXAMPLE...
My Password= ******** Authen= CHAP/PAP Press Space Bar to Toggle. Figure 10-3 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor’s implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
This field is the time period that the budget should be reset. For example, if we are allowed to call this remote node for a maximum of 10 minutes every hour, then the Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour).
Connection ID/Name= Press Space Bar to Toggle. Figure 10-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation The next table shows how to configure fields in menu 11.1 not previously discussed above. Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation)
Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 10-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation The next table gives you instructions about configuring remote node network layer options.
Page 130
ZyWALL 10~100 Series Internet Security Gateway Table 10-4 Remote Node Network Layer Options Menu Fields FIELD Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.
11.1, press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 10-6 Menu 11.3: Remote Node Network Layer Options for PPTP Encapsulation The next table gives you instructions about configuring remote node network layer options.
ZyWALL 10~100 Series Internet Security Gateway Table 10-5 Remote Node Network Layer Options Menu Fields FIELD My WAN Addr Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
For more information on defining the filters, please refer to the Filters chapter. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets. Figure 10-7 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter...
ZyWALL 10~100 Series Internet Security Gateway Figure 10-8 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.5 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.
My Login= N/A My Password= N/A Server IP= N/A Figure 10-11 Menu 11.1: Remote Node Profile To configure traffic redirect properties, press [SPACE BAR] to select Yes in the Edit Traffic Redirect field and then press [ENTER]. Remote Node Setup...
ZyWALL 10~100 Series Internet Security Gateway Table 10-6 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature. Redirect Select Yes and press [ENTER] to configure Menu 11.6 —...
Page 137
When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Table 10-7 Traffic Redirect Setup DESCRIPTION EXAMPLE 0.0.0.0...
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.
ZyWALL 10~100 Series Internet Security Gateway 11.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12. 1. Figure 11-2 Menu 12: IP Static Route Setup (ZyWALL 10W) Now, enter the index number of the static route that you want to configure.
(see the Metric section in the WAN and Dial Backup Setup chapter). The smaller the number, the higher priority the route has. IP Static Route Setup ZyWALL 10~100 Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1...
Page 142
ZyWALL 10~100 Series Internet Security Gateway FIELD Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. ZyWALL 10~100 Series Internet Security Gateway This chapter discusses how to configure NAT on the ZyWALL. Table 12-1 NAT Definitions...
ZyWALL 10~100 Series Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
ZyWALL 10~100 Series Internet Security Gateway 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Port numbers do not change for One-to-One and Many-One-to-One NAT mapping The following table summarizes these types. TYPE One-to-One Many-to-One (SUA/PAT) Many-to-Many Overload ZyWALL 10~100 Series Internet Security Gateway types. Table 12-2 NAT Mapping Types IP MAPPING ILA1 IGA1 ILA1...
ZyWALL 10~100 Series Internet Security Gateway TYPE Many-One-to-One Server 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 12.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options. ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup...
Figure 12-6 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 12.2.1). The fields in this menu cannot be changed. ZyWALL 10~100 Series Internet Security Gateway Menu 15 — NAT Setup Address Mapping Sets...
ZyWALL 10~100 Series Internet Security Gateway Set Name= SUA Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules The following table explains the fields in this screen.
Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ZyWALL 10~100 Series Internet Security Gateway Table 12-4 SUA Address Mapping Rules DESCRIPTION [ENTER] are the bottom of the screen.
Page 154
ZyWALL 10~100 Series Internet Security Gateway ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9.
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. ZyWALL 10~100 Series Internet Security Gateway address. Menu 15.1.1.1 Address Mapping Rule...
(for example both FTP and web service), it might be better to specify a range of port numbers. Entry 12 (port 1026) is non-editable (see Figure 12-10). In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server.
Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. ZyWALL 10~100 Series Internet Security Gateway Table 12-7 Services & Port Numbers...
ZyWALL 10~100 Series Internet Security Gateway Rule --------------------------------------------------- Figure 12-10 Menu 15.2: NAT Server Setup Figure 12-11 Multiple Servers Behind NAT Example 12-16 Menu 15.2 - NAT Server Setup Start Port No. End Port No. Default Default 1026 1026 Press ENTER to Confirm or ESC to Cancel: IP Address 0.0.0.0...
In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 12-13 Menu 4: Internet Access & NAT Example ZyWALL 10~100 Series Internet Security Gateway Figure 12-12 NAT Example 1 Menu 4 - Internet Access Setup...
ZyWALL 10~100 Series Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
NAT on the LAN. The example situation looks somewhat like this: ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No.
Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 12-18).
Local IP: Start= 192.168.1.10 Global IP: Start= 10.132.50.1 Press Space Bar to Toggle. ZyWALL 10~100 Series Internet Security Gateway Figure 12-17 Example 3: Menu 11.3 Menu 15.1.1.1 Address Mapping Rule = N/A = N/A Press ENTER to Confirm or ESC to Cancel: Figure 12-18 Example 3: Menu 15.1.1.1...
ZyWALL 10~100 Series Internet Security Gateway Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 12-19 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN.
ZyWALL 10~100 Series Internet Security Gateway 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
ZyWALL 10~100 Series Internet Security Gateway Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 12-22 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3. The Real Audio server responds using a port number ranging between 6970-7170. 4. The ZyWALL forwards the traffic to Jane’s computer IP address. ZyWALL 10~100 Series Internet Security Gateway 12-25...
ZyWALL 10~100 Series Internet Security Gateway 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE...
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and gives example firewall rules and an overview of content filtering.
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 What Is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
ZyWALL 10~100 Series Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: 13.4.2 Types of DoS Attacks There are four types of DoS attacks: 1.
(which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Firewalls ZyWALL 10~100 Series Internet Security Gateway Figure 13-2 Three-Way Handshake Figure 13-3 SYN Flood 13-5...
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
The ZyWALL uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyWALL’s stateful inspection allows Firewalls ZyWALL 10~100 Series Internet Security Gateway Table 13-3 Legal NetBIOS Commands MESSAGE:...
all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.
Allow certain types of traffic from the Internet to specific hosts on the LAN. iii. Allow access to a Web server to everyone but competitors. Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-9...
ZyWALL 10~100 Series Internet Security Gateway These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
5. For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6. Protect against IP spoofing by making sure the firewall is active. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-11...
9. If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers. 10. If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable.
Page 185
2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-13...
Page 186
3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
Figure 14-1 Menu 21: Filter and Firewall Setup Introducing the ZyWALL Firewall ZyWALL 10~100 Series Internet Security Gateway This chapter shows you how to get started with the ZyWALL firewall. Menu 21 - Filter and Firewall Setup 1.
14.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Click Advanced, Firewall and then the Summary tab. Enable (or activate) the firewall by clicking the Enable Firewall check box as seen in the following screen. Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Chapter 15 15-1...
Figure 15-1 Enabling the Firewall (ZyWALL 100) 15.2.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 15-2 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Rule Config screen (see Figure 16-4) When an event generates an alert, a message is immediately sent to an e-mail account specified by...
ZyWALL 10~100 Series Internet Security Gateway determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.
Page 192
threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Figure 15-2 Attack Alert Table 15-1 Attack Alert DESCRIPTION DEFAULT VALUES 80 existing half-open sessions.
Page 194
The above values causes the ZyWALL to start deleting half- open sessions when the number of existing half-open sessions rises above 100, and to stop deleting half-open sessions with the number of existing half-open sessions drops below 80. 10 existing half-open TCP sessions.
Page 195
When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Table 15-1 Attack Alert DESCRIPTION...
This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN • DMZ to DMZ/ZyWALL Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Creating Custom Rules • WAN to LAN • WAN to WAN/ZyWALL •...
This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so. If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network.
Destination Address What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway 16-3...
ZyWALL 10~100 Series Internet Security Gateway 16.3 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. Rules for the DMZ work in a similar fashion. LAN to LAN/ZyWALL, WAN to WAN/ZyWALL and DMZ to DMZ/ZyWALL rules apply to packets coming in on the associated interface (LAN, WAN, or DMZ respectively).
ZyWALL 10~100 Series Internet Security Gateway See the following figure. Figure 16-2 WAN to LAN Traffic 16.4 Rule Summary Click Advanced, Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed.
Figure 16-3 Firewall Rules Summary: First Screen (ZyWALL100) The following table describes the fields in the firewall summary screen. Table 16-1 Firewall Rules Summary: First Screen FIELD Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 203
(Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 16-7...
Table 16-1 Firewall Rules Summary: First Screen FIELD Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 205
MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) NFS(UDP:2049) Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services DESCRIPTION A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
Page 206
TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) 16-10 Table 16-2 Predefined Services Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 207
Step 2. Click Insert to display this screen and refer to the following table for information on the fields. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services DESCRIPTION Login Host Protocol used for (Terminal Access Controller Access Control System).
ZyWALL 10~100 Series Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule (ZyWALL100) Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to...
Page 209
Matched Packets forwarded? Make your choice from the drop down list box. Note that Block means the firewall silently discards the packet. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION OPTIONS LAN to LAN/ZyWALL LAN to WAN LAN to DMZ...
FIELD This field determines if a log is created for packets that match the rule, don’t match the rule, both or no log is created. Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched. When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen.
Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range here.
Figure 16-6 Creating/Editing A Custom Port The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Figure 16-7 Firewall Rule Configuration Screen (ZyWALL100) Step 4. Click Any in the Source Address box and then click ScrDelete. Step 5. Click ScrAdd under the Source Address box. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway 16-17...
ZyWALL 10~100 Series Internet Security Gateway Step 6. Configure the Firewall IP Config screen as follows and click Apply. Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply.
Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Figure 16-9 Custom Port for MyService 16-19...
This is the address range of the “MyService” servers. Figure 16-10 MyService Rule Configuration (ZyWALL100) 16-20 Click Apply when finished. This is your “MyService” custom port. Creating Custom Rules...
Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 16-11 Example 3: Rule Summary (ZyWALL100)
The ZyWALL also allows you to define time periods and days during which content filtering should be enabled. 17.1.4 Configure Categories Click Content on the navigation panel, and then the Categories tab to open the following screen. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Chapter 17 Content Filtering 17-1...
ZyWALL 10~100 Series Internet Security Gateway LABEL Restricted Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. A tool for building dynamic and active Web pages and distributed object applications. When...
Page 221
Selecting this category excludes pictures or text exposing anyone or anything involved in Sexual Acts explicit sexual acts and or lewd and lascivious behavior. Also includes phone sex ads, dating services, and adult personals, CD-ROM's and videos. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories DESCRIPTION 17-3...
Page 222
ZyWALL 10~100 Series Internet Security Gateway LABEL Selecting this category excludes pictures or descriptive text of anyone or anything which are crudely vulgar or grossly deficient in civility or behavior, or which show scatological Gross Depictions impropriety. Includes such depictions as maiming, bloody figures, or indecent depiction of bodily functions.
Page 223
ZyWALL for the initial free subscription in this page by filling in your personal information in the fields and then clicking Apply. You must fill in all required fields (denoted by an asterisk). Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories DESCRIPTION 17-5...
LABEL Last Name Type your last name. You may enter up to 31 characters. This is a required field. First Name Type your first name. You may enter up to 31 characters. This is a required field. E-mail Type your e-mail address. You may enter up to 40 characters. This is a required field. Company Type the name of your company.
Type your last name. You may enter up to 31 characters (required field). First Name Type your first name. You may enter up to 31 characters (required field). Content Filtering ZyWALL 10~100 Series Internet Security Gateway Figure 17-3 Content Filter: iCard Table 17-3 Content Filter: iCard DESCRIPTION...
LABEL E-mail Type your e-mail address. You may enter up to 40 characters (required field). Company Type the name of your company. You may enter up to 31 characters. Title Type your job title. You may enter up to 31 characters. Country Type your country name.
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Figure 17-4 Content Filter: List Update Table 17-4 Content Filter: List Update DESCRIPTION...
ZyWALL 10~100 Series Internet Security Gateway 17.5 Exempt Computers Click Content on the navigation panel, and then the Exempt Zone tab to open the following screen. Use this screen to include or exclude a range of users on the LAN from content filtering.
Click Content on the navigation panel, and then the Customize tab to open the following screen. Use this screen to customize the content filter list by adding or removing specific sites from the filter list. Content Filtering ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 17-11...
LABEL Filter List Customization Make sure the Enable Filter List Customization check box is selected to make this feature available. Add or remove sites from the Filter List to customize the Content Filter List. Enable Filter List Customization 17-12 Figure 17-6 Content Filter: Customize Table 17-6 Content Filter: Customize Select this check box to allow Trusted Domain web sites and block Forbidden Domain web sites.
Page 231
Delete Forbidden Domain to delete it from that list. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-6 Content Filter: Customize DESCRIPTION 17-13...
17.7 Domain Name Click Content on the navigation panel, and then the Domain Name tab to open the following screen. Use this screen to configure the ZyWALL to block Web sites containing keywords in their URLs. For example, if you enable the keyword "bad", the ZyWALL blocks all sites containing this keyword, for example, the ZyWALL blocks URL http://www.website.com/bad.html, even if it is not included in the Filter List.
Page 233
Highlight a keyword in the lower box and click Delete Keyword to remove it. The Delete Keyword keyword disappears from the text box after you click Apply. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-7 Content Filter: Domain Name DESCRIPTION 17-15...
Page 235
Logs, Filter Configuration, and SNMP Configuration Part V: Logs, Filter Configuration, and SNMP Configuration This part provides information and configuration instructions for the logs, filters, and SNMP.
ZyWALL 10~100 Series Internet Security Gateway Chapter 18 Centralized Logs This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendices for example log message explanations and how to view the logs via the SMT command interface.
ZyWALL 10~100 Series Internet Security Gateway FIELD Display The categories that you select in the Log Settings page (see section 18.2) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send. Centralized Logs ZyWALL 10~100 Series Internet Security Gateway Table 18-1 View Log DESCRIPTION...
Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to your UNIX manual for more information. Send Log Centralized Logs ZyWALL 10~100 Series Internet Security Gateway Table 18-2 Log Settings Screen DESCRIPTION 18-5...
Page 242
ZyWALL 10~100 Series Internet Security Gateway FIELD Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: If you select Weekly or Daily, specify a time of day when the E-mail should be sent.
ZyWALL 10~100 Series Internet Security Gateway Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
ZyWALL 10~100 Series Internet Security Gateway Outgoing Data Packet Match Drop packet Figure 19-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets.
ZyWALL 10~100 Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule...
ZyWALL 10~100 Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
“F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Filter Configuration ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 19-5...
ZyWALL 10~100 Series Internet Security Gateway ABBREVIATION Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule...
Page 250
ZyWALL 10~100 Series Internet Security Gateway Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Enter the IP mask to apply to the Destination: IP Addr. IP Mask Port # Enter the destination port of the packets that you wish to filter.
Page 251
ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following figure illustrates the logic flow of an IP filter. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION OPTIONS None...
ZyWALL 10~100 Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port...
Figure 19-8 Menu 21.1.4.1: Generic Filter Rule The following table describes the fields in the Generic Filter Rule menu. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.4.1 - Generic Filter Rule Filter #: 4,1 Filter Type= Generic Filter Rule...
ZyWALL 10~100 Series Internet Security Gateway Table 19-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Use [SPACE BAR] and then [ENTER] to select a rule type.
Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Figure 19-9 Telnet Filter Example 19-13...
ZyWALL 10~100 Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Menu 21.1.3.1 - TCP/IP Filter Rule...
Step 4. Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.5. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Filter Rules M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the...
ZyWALL 10~100 Series Internet Security Gateway 19.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets.
You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the ZyWALL and output filter sets filter Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets:...
ZyWALL 10~100 Series Internet Security Gateway outgoing traffic from the ZyWALL. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. The DMZ port is not available on all models.
ZyWALL 10~100 Series Internet Security Gateway Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
ZyWALL 10~100 Series Internet Security Gateway Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Get Community Type the Get community, which is the password for the incoming Get- and GetNext requests from the management station. SNMP Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 22 - SNMP Configuration Get Community= public Set Community= public Trusted Host= 0.0.0.0...
ZyWALL 10~100 Series Internet Security Gateway Table 20-1 SNMP Configuration Menu Fields FIELD Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address.
System Information and Diagnosis and Firmware and Configuration File Maintenance Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part provides information on system information and diagnosis and maintaining the firmware and configuration files.
ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway System Information & Diagnosis Menu 24 - System Maintenance System Status...
The following table describes the fields present in Menu 24.1 - System Maintenance - Status. These fields are READ-ONLY and meant for diagnostic purposes. The upper right corner of the screen shows the time and date according to the format you set in menu 24.10. Table 21-1 System Maintenance: Status Menu Fields...
From this menu you have two choices as shown in the next figure: Figure 21-3 Menu 24.2: System Information and Console Port Speed System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION Menu 24.2 - System Information and Console Port Speed 1.
ZyWALL 10~100 Series Internet Security Gateway 21.2.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Menu 24.2.1 - System Maintenance - Information Figure 21-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W)
Select the first option from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system. System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway Console Port Speed: 115200 Press ENTER to Confirm or ESC to Cancel:...
No filters are logged when this field is set to No. Filters with the individual filter Log Filter field set to Yes (Menu 21.x.x) are logged when this field is set to Yes. System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway Menu 24.3.2 - System Maintenance - UNIX Syslog DESCRIPTION...
ZyWALL 10~100 Series Internet Security Gateway Table 21-3 System Maintenance Menu Syslog Parameters PARAMETER PPP events are logged when this field is set to Yes. PPP log Firewall log When set to Yes, the ZyWALL sends the firewall log to a syslog server.
ZyWALL 10~100 Series Internet Security Gateway 21.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 21-10 Menu 24.4: System Maintenance: Diagnostic 21.4.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 21-11. LAN DHCP has already been discussed.
ZyWALL 10~100 Series Internet Security Gateway The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test...
ZyWALL 10~100 Series Internet Security Gateway Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
ZyWALL 10~100 Series Internet Security Gateway local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Step 7. Enter “quit” to exit the ftp prompt. 22.2.3 Example of FTP Commands from the Command Line Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Press ENTER to Exit: Figure 22-1 Telnet into Menu 24.5 22-3...
ZyWALL 10~100 Series Internet Security Gateway 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyWALL to the computer and “binary” to set binary transfer mode. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-5...
ZyWALL 10~100 Series Internet Security Gateway 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get”...
** Backup Configuration completed. OK. ### Hit any key to continue.### Figure 22-6 Successful Backup Confirmation Screen Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Type a location for storing the configuration file or click Browse to look for one.
ZyWALL 10~100 Series Internet Security Gateway 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Step 8. Enter “quit” to exit the ftp prompt. The ZyWALL will automatically restart after a successful restore process. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-7 Telnet into Menu 24.6 22-9...
The following screen indicates that the Xmodem download has started. Starting XMODEM download (CRC mode) ... CCCCCCCCC Figure 22-10 System Maintenance: Starting Xmodem Download Screen Step 3. Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen.
Restore Configuration section or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port). Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Save to ROM Hit any key to start system reboot.
ZyWALL 10~100 Series Internet Security Gateway Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE 22.4.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
(firmware.bin) to the ZyWALL and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer (config.rom) to the ZyWALL and renames it “rom-0”. Likewise “get rom-0 config.rom” Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-13...
ZyWALL 10~100 Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt.
Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download/upload. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-15...
ZyWALL 10~100 Series Internet Security Gateway 22.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
- System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-17 Example Xmodem Upload Type the firmware file’s location, or click Browse to look for it.
ZyWALL 10~100 Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message.
After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-19 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it.
Page 299
System Maintenance and Information and Remote Management Part VII: System Maintenance and Information and Remote Management This part provides information on the system maintenance and information functions and how to configure remote management.
System Maintenance & Information This chapter leads you through SMT menus 24.8 to 24.10. The Real Time Chip (RTC) applies to 23.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
ZyWALL 10~100 Series Internet Security Gateway Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Enter “0” to update the screen or press [ESC] to return to the previous screen. System Maintenance & Information ZyWALL 10~100 Series Internet Security Gateway Menu 24.9.1 - Budget Management Connection Time/Total Budget...
ZyWALL 10~100 Series Internet Security Gateway 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Figure 23-6 Menu 24: System Maintenance Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.
Time Zone= GMT+0800 Daylight Saving= No Start Date (mm-dd): End Date (mm_dd): Figure 23-7 Menu 24.10 System Maintenance: Time and Date Setting FIELD Use Time Server Enter the time service protocol that your timeserver sends when you turn on the when Bootup ZyWALL.
23.3.1 Resetting the Time The ZyWALL resets the time in three instances: On leaving menu 24.10 after making changes. When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance & Information...
ZyWALL 10~100 Series Internet Security Gateway Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
ZyWALL 10~100 Series Internet Security Gateway 24.3 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Select the access interface (if any) by pressing [SPACE BAR], then [ENTER] to choose from: LAN only, WAN only, ALL or Disable. Remote Management ZyWALL 10~100 Series Internet Security Gateway firewall rule to allow access. Menu 24.11 - Remote Management Control...
ZyWALL 10~100 Series Internet Security Gateway Table 24-1 Menu 24.11 – Remote Management Control FIELD Secured Client The default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
ZyWALL 10~100 Series Internet Security Gateway 24.9 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been...
Bandwidth Management Part VIII: Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management. VIII...
Use bandwidth classes and child-classes to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or child-class) based on a specific Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway Bandwidth Management management applies to the ZyWALL 100.
ZyWALL 10~100 Series Internet Security Gateway application and/or subnet. Use the Class Configuration tab (see section 25.8.3) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure child-classes with filters for any classes that you configure without filters.
ZyWALL 10~100 Series Internet Security Gateway Figure 25-1 Application-based Bandwidth Management Example 25.4.2 Subnet-based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 5 Mbps.
ZyWALL 10~100 Series Internet Security Gateway Table 25-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE VoIP E-mail Video Figure 25-3 Application and Subnet-based Bandwidth Management Example 25.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
ZyWALL 10~100 Series Internet Security Gateway 25.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
The classes are set up based on subnets. The interface is set to 10 Mbps. Each subnet is allocated 2 Mbps. The unbudgeted 2 Mbps allows traffic not defined in one of the bandwidth filters to go out when you do not select the maximize bandwidth option.
The ZyWALL does not send any traffic that is not defined in the bandwidth filters because all of the unbudgeted bandwidth goes to the classes that need it. Figure 25-5 Maximize Bandwidth Usage Example Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway 25-7...
ZyWALL 10~100 Series Internet Security Gateway 25.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.
ZyWALL 10~100 Series Internet Security Gateway Figure 25-6 Bandwidth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.
ZyWALL 10~100 Series Internet Security Gateway The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
ZyWALL 10~100 Series Internet Security Gateway Bandwidth Manager Summary 25.8.1 Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface in the bandwidth manager’s Summary tab. Click Advanced, BW Manager, and then Summary to open the screen shown next.
ZyWALL 10~100 Series Internet Security Gateway Table 25-2 Bandwidth Manager: Summary FIELD These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Not all interfaces are available on every ZyWALL. WLAN...
Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its child-classes. You cannot delete the root class. Statistics Click Statistics to display the status of the selected class. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-13...
ZyWALL 10~100 Series Internet Security Gateway 25.8.3 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Configuration screen. You must use the Bandwidth Manager Summary screen to enable bandwidth management on an interface before you can configure classes for that interface.
Page 331
Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Click Apply to save your changes back to the ZyWALL. Click Reset to begin configuring this screen afresh. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-15...
ZyWALL 10~100 Series Internet Security Gateway ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol)
25.8.5 Bandwidth Manager Monitor Use the Bandwidth Manager Monitor screen to view the device’s bandwidth usage and allotments. Click Advanced, BW Manager, and then the Monitor tab to open the following screen. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-17...
ZyWALL 10~100 Series Internet Security Gateway Figure 25-11 Bandwidth Manager Monitor FIELD Select an interface from the drop-down list box to view the bandwidth usage of its Interface bandwidth classes. Class Name This field displays the name of the class.
Page 335
IPPR, Call Scheduling and VPN/IPSec Part IX: IP Policy Routing, Call Scheduling and VPN/IPSec This part provides information on how to configure IP Policy Routing, call scheduling and VPN/IPSec.
The action is taken only when all the criteria are met. The criteria include the source address and port, IP protocol (ICMP, UDP, TCP, etc.), destination IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway IP Policy Routing Chapter 26 the ZyWALL 100.
ZyWALL 10~100 Series Internet Security Gateway address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets.
Enter Policy Rule Number (1-6) to Configure: Figure 26-4 Menu 25.1: Sample IP Routing Policy Setup ABBREVIATION Criterion Action IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Menu 25.1 - IP Routing Policy Setup Criteria/Action Table 26-1 IP Routing Policy Setup MEANING Source IP Address...
ZyWALL 10~100 Series Internet Security Gateway ABBREVIATION Service Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test...
Page 341
Set the new outgoing packet precedence value. Values are 0 to 7 or No Change. Press [SPACE BAR] and then [ENTER] to select Yes to make an entry in the system log when a policy is executed. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Table 26-2 IP Routing Policy DESCRIPTION 26-5...
ZyWALL 10~100 Series Internet Security Gateway FIELD When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
Internet via the WAN port of the ZyWALL, follow the steps as shown next. Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 - IP Routing Policy as shown next. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway 26-7...
ZyWALL 10~100 Series Internet Security Gateway Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr Type of Service= No Change...
Check Menu 25.1 - IP Routing Policy Setup to see if the rule is added correctly. Step 7. Apply both policy sets in menu 3.2 as shown next. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Packet length= 10 = Don't Care...
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup 26-10 DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Menu 26 - Schedule Setup Schedule...
ZyWALL 10~100 Series Internet Security Gateway To delete a schedule set, enter the set number and press [SPACE BAR] and then To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 349
Main Menu and then enter the target remote node index. Press [SPACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field available as shown next. Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Table 27-1Schedule Set Setup Fields DESCRIPTION...
ZyWALL 10~100 Series Internet Security Gateway Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Authen= CHAP/PAP Press Space Bar to Toggle. Figure 27-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 27-4 Applying Schedule Set(s) to a Remote Node (PPTP) Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Route= IP Edit IP= No Telco Option:...
Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Introduction to IPSec ZyWALL 10~100 Series Internet Security Gateway Introduction to IPSec This chapter introduces the basics of IPSec VPNs.
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
ZyWALL 10~100 Series Internet Security Gateway Figure 28-2 VPN Application 28.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 28-3...
AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Introduction to IPSec ZyWALL 10~100 Series Internet Security Gateway 28-5...
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
This is an overview of the VPN menu tree. From the main menu, enter 27 to display the first VPN menu (shown next). VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway VPN/IPSec Setup Figure 29-1 VPN SMT Menu Tree Chapter 29 information on IPSec logs.
29.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence.
A tunnel with no outbound or inbound traffic is "idle" and stays connected until the IPSec SA lifetime period expires (see section 29.5). The ZyWALL automatically renegotiates the IPSec SA if there is traffic when the VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-1 AH and ESP Select MD5 for minimal security and SHA-1 for maximum security.
IPSec SA lifetime period expires. If there is no traffic when the IPSec SA lifetime period expires, the tunnel is dropped and will have to be renegotiated the next time that someone attempts to send traffic, unless you enable keep alive. Keep alive allows you to set the ZyWALL to automatically renegotiate the IPSec SA at the end of the IPSec SA lifetime, even if there is no traffic.
The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-3 Peer Fields CONTENT= ZYWALL B...
Table 29-5 Mismatching ID Type and Content Configuration Example ZYWALL A Local ID type: IP Local ID content: N/A Local IP address: 1.1.1.1 Peer ID type: E-mail Peer ID content: aa@yahoo.com Peer IP address: 1.1.1.2 29.3.3 My IP Address My IP Addr is the WAN IP address of the ZyWALL. If this field is configured as 0.0.0.0, then the ZyWALL will use the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.
Gateway IP domain name. Address: Figure 29-4 Telecommuter’s ZyWALL Configuration Figure 29-5 Headquarters ZyWALL Configuration VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway TELECOMMUTER Public static IP address 0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel.
This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active.
Page 367
You need to finish configuring the VPN policy in menu 27.1.1.1 or 27.1.1.2 if ??? is displayed. Key Mgt This field displays the SA’s type of key management, (IKE or Manual). VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION EXAMPLE 192.168.1.35 192.168.1.38...
Page 368
IPSec router with which you are making the VPN connection. This field displays 0.0.0.0 when you configure the Secure Gateway Addr field in SMT 27.1.1 to 0.0.0.0. 29-10 Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION EXAMPLE 172.16.2.40...
Select Edit in the Select Command field; type the index number of a rule in the Select Rule field and press [ENTER] to edit the VPN using the menu shown next. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION...
This is the VPN rule index number you selected in the previous menu. Name Enter a unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed in Menu 27.1 - IPSec Summary. Active Press [SPACE BAR] to choose either Yes or No.
Page 371
Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup DESCRIPTION EXAMPLE 0.0.0.0...
Page 372
FIELD Content This field is N/A when you select IP in the Peer ID Type field (the ZyWALL uses the IP address in the Secure Gateway Addr field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.
Page 373
IPSec router. This field displays N/A when you configure the Secure Gateway Addr field to 0.0.0.0. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup DESCRIPTION EXAMPLE 192.168.1.38 SUBNET 4.4.4.4...
Page 374
FIELD End When the Addr Type field is configured to Single, this field is N/A. When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-key cryptography – see section 29.5.5. Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway 29-17...
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic.
Page 377
Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in slightly increased latency and decreased throughput. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Menu 27.1.1.1 - IKE Setup = ESP = DES...
FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. ZyWALL DES encryption algorithm uses a 56-bit key.
29.6.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. These parameters have been discussed earlier. Table 29-10 Active Protocol: Encapsulation and Security Protocol MODE Tunnel Transport 29.6.2 Security Parameter Index (SPI) An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol.
Key3= N/A Authentication Algorithm= MD5 Key= N/A SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 29-10 Menu 27.1.1.2: Manual Setup Table 29-11 Menu 27.1.1.2: Manual Setup DESCRIPTION EXAMPLE ESP Tunnel 1234 89abcde...
Page 381
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE 123456789a...
Type 2 in Menu 27 - VPN/IPSec Setup, and then press [ENTER] to go to Menu 27.2 - SA Monitor. -------------------------------- Taiwan : 3.3.3.1 – 3.3.3.3.100 Press ENTER to Confirm or ESC to Cancel: SA Monitor ZyWALL 10~100 Series Internet Security Gateway expires, even if there is no traffic. Menu 27.2 - SA Monitor Name Encap.
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
Troubleshooting ZyWALL 10~100 Series Internet Security Gateway included disk for further information. DMZ applies to the ZyWALL 100. CORRECTIVE ACTION VT100 terminal emulation 9600 bps is the default speed on leaving the factory. Try other speeds in case the speed has been changed.
31.2 Problems with the LAN Interface Table 31-2 Troubleshooting the LAN Interface PROBLEM Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions. from the LAN. Make sure your NIC (Network Interface Card) is installed and functioning properly. Cannot ping Check the 10M/100M LAN LEDs on the front panel.
Check with the manufacturer of your cable/DSL device about your cable requirement Internet. because some devices may require crossover cable and others a regular straight- through cable. Verify your settings in menu 3.2 and menu 4. Troubleshooting ZyWALL 10~100 Series Internet Security Gateway CORRECTIVE ACTION CORRECTIVE ACTION 31-3...
31.6 Problems with the Password PROBLEM Cannot The Password field is case sensitive. Make sure that you enter the correct password access the using the proper casing. ZyWALL. Use the Reset button to restore the factory default configuration file. This will restore all of the factory defaults including the password.
Page 391
General Appendices Part XI: General Appendices This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting, safety warnings and how to change a ZyWALL 100 Fuse.
ZyWALL 10~100 Series Internet Security Gateway Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 394
The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Page 395
Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
Page 396
Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 397
Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway Right-click Local Area Connection and then click Properties.
Page 398
Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 399
ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 400
In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 401
Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 403
Click Apply Now and close the window. Turn on your ZyWALL and restart your computer (if prompted). Verifying Your Computer’s IP Address Check your TCP/IP properties in the Network window. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...
Page 405
The ZyWALL reroutes the packet to Gateway B which is in Subnet 2. Step 3. The reply from WAN goes through the ZyWALL to the computer on the LAN in Subnet 1. Triangle Route ZyWALL 10~100 Series Internet Security Gateway Diagram B-2 “Triangle Route” Problem Diagram B-3 IP Alias...
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
ZyWALL 10~100 Series Internet Security Gateway Appendix C The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 409
ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
Page 410
ZyWALL 10~100 Series Internet Security Gateway Diagram D-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Page 411
ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
ZyWALL 10~100 Series Internet Security Gateway Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 413
The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Diagram E-1 Sequences for EAP MD5–Challenge Authentication Wireless LAN with IEEE 802.1x ZyWALL 10~100 Series Internet Security Gateway RADIUS Server Authentication Sequence Client computer access authorized.
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial-up networking. Diagram F-1 Single-PC per Modem Hardware Configuration PPPoE ZyWALL 10~100 Series Internet Security Gateway Appendix F PPPoE...
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ZyWALL 10~100 Series Internet Security Gateway Appendix G PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband...
Page 418
ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 419
ZyWALL 10~100 Series Internet Security Gateway Diagram G-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
16 Watts maximum 1.9 Amps 0.5 Amps, 250 VAC 100000 hrs (Mean Time Between Failures) 0º C ~ 40º C 10/100Mbps Half / Full Auto-negotiation 10Mbps Half / Full Auto-negotiation 10/100Mbps Half / Full Auto-negotiation 10/100Mbps Half / Full Auto-negotiation Appendix H...
CON/AUX port’s pin assignments. Products without flow control only use pins 2,3 and 5. Hardware Specifications ZyWALL 10~100 Series Internet Security Gateway Pin 1 Pin 6 DIAL BACKUP RS – 232 (Male) DB-9M (Not on all...
Page 422
Straight-Through (Switch) IRD + IRD - OTD + OTD - Power Adaptor Specifications (ZyWALL 10/10W/50) Chart H-4 North American AC Power Adaptor Specifications AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90)
Page 423
Safety standards: TUV, CE (EN 60950, BS7002) Chart H-7 Japan AC Power Adaptor Specifications AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Japan standards Safety standards: T-Mark Hardware Specifications ZyWALL 10~100 Series Internet Security Gateway...
Page 424
ZyWALL 10~100 Series Internet Security Gateway Chart H-8 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Australia and New Zealand standards Safety standards: NATA (AS 3260)
Windows Messenger is an example of an application that supports NAT Traversal and UPnP. See the Network Address Translation (NAT) chapter in your User's Guide for further information about NAT. UPnP ZyWALL 10~100 Series Internet Security Gateway Universal Plug and Play Appendix I...
Page 426
ZyWALL 10~100 Series Internet Security Gateway Are there any cautions about UPnP? The automated nature of NAT Traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
This section shows how to install UPnP in Windows Me and Windows XP. Follow the steps below to install the UPnP in Windows Me. UPnP ZyWALL 10~100 Series Internet Security Gateway Chart I-1 UPnP DESCRIPTION Installing UPnP in Windows Me...
Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4.
Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device. Auto-discover Your UPnP-enabled Network Device UPnP ZyWALL 10~100 Series Internet Security Gateway...
Page 430
Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Step 4.
ZyXEL device first. This comes helpful if you do not know the IP address of the ZyXEL device. Follow the steps below to access the web configurator. UPnP ZyWALL 10~100 Series Internet Security Gateway mappings will be deleted automatically.
Page 432
Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke.
Page 433
Step 6. Right-click on the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. UPnP ZyWALL 10~100 Series Internet Security Gateway...
ZyWALL 10~100 Series Internet Security Gateway IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
Page 436
With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 437
IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 IP Subnetting ZyWALL 10~100 Series Internet Security Gateway subnet. Chart J-5 Subnet 1 NETWORK NUMBER 192.168.1.
Page 438
Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving -2 or 62 hosts for each subnet (all 0’s is the subnet itself, all 1’s is the broadcast address on the subnet).
The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C” subnet planning. IP Subnetting ZyWALL 10~100 Series Internet Security Gateway Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 Chart J-10 Subnet 4 NETWORK NUMBER 192.168.1.
NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
Page 441
NO. “BORROWED” HOST BITS IP Subnetting ZyWALL 10~100 Series Internet Security Gateway Chart J-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET...
Refer all servicing to qualified service personnel. 10. Generally, when installed after the final configuration, the product must comply with the applicable safety standards and regulatory requirements of the country in which it is installed. If necessary, consult the appropriate regulatory agencies and inspection authorities to ensure compliance.
Page 443
Firmly, but gently, push the fuse housing back into the ZYWALL 100 until you hear a click. Step 4. Plug the power cord back into the unit. Removing and Installing a ZyWALL 100 Fuse ZyWALL 10~100 Series Internet Security Gateway Appendix L Fuse...
Page 445
Command and Log Appendices Part XII: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands and logs and password protection.
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Command Interpreter ZyWALL 10~100 Series Internet Security Gateway Command Interpreter possibly render it unusable.
The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
Page 449
<0-23> config edit firewall e-mail minute <0-59> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command shows all of the e-mail settings. This command shows all of the available firewall sub commands.
Page 451
<yes | no> Config edit firewall set <set #> rule <rule #> permit <forward | block> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command sets a name to identify a specified set.
Page 452
FUNCTION Config edit firewall set <set #> rule <rule #> active <yes | no> Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > Config edit firewall set <set #> rule <rule #> log <none | match | not-match | both>...
Page 453
<set #> rule <rule #> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command sets a rule to have the ZyWALL check for traffic going to this range of addresses.
Page 454
ZyWALL 10~100 Series Internet Security Gateway Firewall Commands...
Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp NetBIOS Filter Commands ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands Appendix O...
Page 456
This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== Diagram O-1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that has DMZ.
3 = WAN to DMZ 4 = DMZ to LAN 5 = DMZ to WAN 6 = IPSec packet pass through 7 = Trigger Dial NetBIOS Filter Commands ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE Forward Forward Forward Forward...
Page 458
<on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
Most other commands aid in advanced troubleshooting and should only be used by qualified engineers. Boot Commands ZyWALL 10~100 Series Internet Security Gateway 16384K OK ATSE displays the seed that is used to generate a password to turn on the...
Page 460
just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
WEB Login Fail TELNET Login Successfully Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-1 System Error Logs This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 462
TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP Chart Q-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
Page 463
- WAN ICMP (type:%d, code:%d) icmp echo ICMP (type:%d, code:%d) Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-5 Attack Logs DESCRIPTION The firewall detected an IGMP attack. The firewall detected an ESP attack. The firewall detected a GRE attack.
Page 464
LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...
Page 465
ICMP (set:%d, rule:%d, type:%d, code:%d) Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s configuration.
Page 467
Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION OSPF access did not match the listed firewall rule and the ZyWALL logged it. Access did not match the listed firewall rule and the ZyWALL logged TCP access matched a default filter policy and the ZyWALL dropped the packet to block access.
Page 468
LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...
Page 469
LAN to LAN/ZyWALL WAN to WAN/ZyWALL Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION The firewall sent out TCP reset packets. The router blocked a packet that did not have a corresponding NAT table entry.
Page 470
ZyWALL 10~100 Series Internet Security Gateway ACL SET DIRECTION NUMBER DMZ to DMZ/ZyWALL TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't...
Page 471
To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-8 ICMP Notes DESCRIPTION...
The following figure shows a typical log from the VPN connection peer. Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:08:07 01 Jan 08:08:07 01 Jan 08:08:08 01 Jan 08:08:08 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10...
Page 473
The following table shows sample log messages during IKE key exchange. Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol> Mode request from <IP>...
Page 474
Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch...
Page 475
Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info Both ends of the VPN tunnel must use the same pre-shared key. You will receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is The following table shows sample log messages during packet transmission.
Page 476
Chart Q-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE Rule <#d> idle time out, disconnect The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart Q-12 RFC-2408 ISAKMP Payload Types PROP TRANS CER_REQ...
Use the sys logs display command to show all of the logs in the ZyWALL’s log. Use the sys logs category display command to show the log settings for all of the log categories. Log Descriptions ZyWALL 10~100 Series Internet Security Gateway 0, 1, 2, 3 0, 1, 2, 3...
Page 479
0 sys pwderrtm N Example sys pwderrtm 5 Brute-Force Password Guessing Protection ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION This command displays the brute-force guessing password protection settings. This command turns off the password’s protection from brute-force guessing.
Page 481
Index Part XIII: Index This part provides an Index of key terms. XIII...
Page 484
Call History... 23-4 Call Scheduling... 1-5, 27-1 maximum number of schedule sets... 27-1 PPPoE ... 27-3 Precedence ... 27-1 Call-Trigerring Packet ... 21-10 CDR... 21-7 Changing the Password... 3-7 Channel ID... 6-13 CHAP ... 5-8, 10-5 Class Name ... 25-14 Classes of IP Addresses ...42...
Page 485
DMZ 10M LED ... 2-2 DMZ Port Connections ... 2-6 DMZ Setup... 8-1 DNS ...4-1, 6-2, 24-2 Index ZyWALL 10~100 Series Internet Security Gateway Primary Server ... 6-7 Secondary Server ... 6-7 Server Address... 6-2 Domain Name... 4-1, 12-15, 21-4 Basics...
Page 486
ESS ... See Extended Service Set ESS ID ... 6-10 ESSID ... 6-12 Ethernet Cable Pin Assignments...30 Ethernet Encapsulation 5-4, 9-1, 10-2, 10-6, 10-7, 10-11, 12-14 Ethernet Specification for DMZ ...28 Ethernet Specification for WAN...28 Extended Service Set ...18 Extended Service Set IDentification... 6-12 Factory Default ...
Page 487
Gateway IP Addr... 10-7 Gateway IP Address...9-2, 11-3 General Setup... 4-1 General Specifications ... 28 Global... 12-1 Index ZyWALL 10~100 Series Internet Security Gateway Half-Open Sessions ... 15-3 Hardware Installation... 2-1 Hardware Requirements ... 2-8 Hidden Menus... 3-2 Hidden Node problem... 6-10 Host...
Page 488
Internet Assigned Numbers Authority .. See IANA Internet Control Message Protocol (ICMP) ... 13-6 Internet Security Gateway ... 1-1 IP address... 5-8, 5-11 IP Address... 6-3, 6-7, 6-9, 9-2, 10-7, 26-3 Remote... 5-11, 10-9 IP Address Assignment... 10-7, 10-9 IP Address Assignment... 9-2 IP Addressing ...42...
Page 489
Maximum Incomplete Low ... 15-6 Max-incomplete High ... 15-3 Max-incomplete Low... 15-3, 15-6 Mean Time Between Failures ...28 Metric... 5-6, 5-12, 10-5, 10-8, 10-10, 11-3 MSDU... 6-13 MTBF ... See Mean Time Between Failures Multicast ...5-12, 6-8, 10-8, 10-10 My IP Addr... 10-6 My Login ...