Page 1 ZyWALL 10/10W/50/100 Internet Security Gateway User’s Guide Versions 3.52 and 3.60 December 2002...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Information For Canadian Users
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
Page 5: Zyxel Limited Warranty
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
Page 6: Customer Support
ZyWALL 10~100 Series Internet Security Gateway When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.
Page 7: Table Of Contents
List of Tables ...xxv Preface ...xxx Overview ... I Chapter 1 Getting to Know Your ZyWALL ... 1-1 The ZyWALL 10/10W/50/100 Internet Security Gateway ... 1-1 Features ... 1-1 Applications for the ZyWALL ... 1-7 Chapter 2 Hardware Installation ... 2-1 Front Panel LEDs and Back Panel Ports ...
Page 8 Chapter 6 LAN Setup...6-1 Introduction...6-1 LAN Port Filter Setup...6-1 TCP/IP and LAN DHCP...6-2 TCP/IP and DHCP Ethernet Setup Menu ...6-5 Wireless LAN ...6-10 Wireless LAN Setup ...6-11 Chapter 7 Wireless LAN Security Setup ...7-1 Levels of Security ...7-1 Data Encryption with WEP...7-1 Network Authentication...7-3...
Page 9 Chapter 10 Remote Node Setup... 10-1 10.1 Remote Node Setup... 10-1 10.2 Remote Node Profile... 10-2 10.3 Editing TCP/IP Options (with Ethernet Encapsulation)... 10-7 10.4 Remote Node Filter ... 10-11 10.5 Traffic Redirect ... 10-12 Chapter 11 IP Static Route Setup ...11-1 11.1...
Page 10 13.2 Types of Firewalls...13-1 13.3 Introduction to ZyXEL’s Firewall ...13-2 13.4 Denial of Service...13-3 13.5 Stateful Inspection ...13-7 13.6 Guidelines For Enhancing Security With Your Firewall ...13-11 13.7 Packet Filtering Vs Firewall ...13-12 Chapter 14 Introducing the ZyWALL Firewall ...14-1 14.1 Remote Management and the Firewall ...14-1 14.2...
Page 11 System Status ... 21-1 21.2 System Information and Console Port Speed... 21-3 21.3 Log and Trace ... 21-5 21.4 Diagnostic ... 21-10 Chapter 22 Firmware and Configuration File Maintenance ... 22-1 Table of Contents ZyWALL 10~100 Series Internet Security Gateway...
Page 12 22.1 Filename Conventions ...22-1 22.2 Backup Configuration...22-2 22.3 Restore Configuration...22-8 22.4 Uploading Firmware and Configuration Files ...22-11 System Maintenance and Information and Remote Management ... VII Chapter 23 System Maintenance & Information...23-1 23.1 Command Interpreter Mode...23-1 23.2 Call Control Support ...23-2 23.3 Time and Date Setting ...23-5 Chapter 24 Remote Management ...24-1...
Page 13 29.4 IPSec Setup ... 29-11 29.5 IKE Setup... 29-17 29.6 Manual Setup ... 29-21 Chapter 30 SA Monitor ... 30-1 30.1 Introduction ... 30-1 30.2 Using SA Monitor ... 30-1 Table of Contents ZyWALL 10~100 Series Internet Security Gateway xiii...
Page 14 Troubleshooting ... X Chapter 31 Troubleshooting ... 1 31.1 Problems Starting Up the ZyWALL ... 1 31.2 Problems with the LAN Interface ... 2 31.3 Problems with the DMZ Interface... 2 31.4 Problems with the WAN Interface... 3 31.5 Problems with Internet Access... 3 31.6 Problems with the Password ...
Page 15 Appendix Q Log Descriptions...69 Appendix R Brute-Force Password Guessing Protection...87 Index... XIII Index ...A Table of Contents ZyWALL 10~100 Series Internet Security Gateway...
Page 16 Figure 5-1 MAC Address Cloning in WAN Setup...5-1 Figure 5-2 Menu 2: Dial Backup Setup ...5-3 Figure 5-3 Menu 2.1 Advanced WAN Setup ...5-5 Figure 5-4 Menu 11.1 Remote Node Profile (Backup ISP) ...5-7 Figure 5-5 Menu 11.2 - Remote Node PPP Options ...5-10 List of Figures...
Page 17 Figure 5-8 Menu 11.4 – Remote Node Setup Script ... 5-14 Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet) ... 5-15 Figure 5-10 Menu 11.5: Remote Node Filter (PPPoE or PPTP) ... 5-15 Figure 6-1 Menu 3: LAN Setup ... 6-1 Figure 6-2 Menu 3.1: LAN Port Filter Setup ...
Page 18 Figure 10-3 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ...10-4 Figure 10-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation...10-6 Figure 10-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation ...10-7 Figure 10-6 Menu 11.3: Remote Node Network Layer Options for PPTP Encapsulation...10-9 Figure 10-7 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) ...10-11...
Page 19 ZyWALL 10~100 Series Internet Security Gateway Figure 12-11 Multiple Servers Behind NAT Example ... 12-16 Figure 12-12 NAT Example 1 ... 12-17 Figure 12-13 Menu 4: Internet Access & NAT Example ... 12-17 Figure 12-14 NAT Example 2 ... 12-18 Figure 12-15 Menu 15.2: Specifying an Inside Server...
Page 20 Figure 16-7 Firewall Rule Configuration Screen (ZyWALL100)...16-17 Figure 16-8 Firewall IP Config Screen ...16-18 Figure 16-9 Custom Port for MyService...16-19 Figure 16-10 MyService Rule Configuration (ZyWALL100) ...16-20 Figure 16-11 Example 3: Rule Summary (ZyWALL100)...16-21 Figure 17-1Content Filter: Categories ...17-2 Figure 17-2 Content Filter: Free ...17-6 Figure 17-3 Content Filter: iCard ...17-7...
Page 21 Figure 22-6 Successful Backup Confirmation Screen... 22-7 Figure 22-7 Telnet into Menu 24.6... 22-9 Figure 22-8 Restore Using FTP Session Example ... 22-10 Figure 22-9 System Maintenance: Restore Configuration ... 22-10 Figure 22-10 System Maintenance: Starting Xmodem Download Screen ... 22-10 List of Figures...
Page 22 Figure 23-5 Call History ...23-4 Figure 23-6 Menu 24: System Maintenance ...23-5 Figure 23-7 Menu 24.10 System Maintenance: Time and Date Setting ...23-6 Figure 24-1 Telnet Configuration on a TCP/IP Network ...24-1 Figure 24-2 Menu 24.11 – Remote Management Control ...24-3 Figure 25-1 Application-based Bandwidth Management Example ...25-3...
Page 23 ZyWALL 10~100 Series Internet Security Gateway Figure 25-10 Bandwidth Management Statistics ... 25-16 Figure 25-11 Bandwidth Manager Monitor ... 25-18 Figure 26-2 IP Routing Policy Setup ... 26-2 Figure 26-4 Menu 25.1: Sample IP Routing Policy Setup ... 26-3 Figure 26-5 IP Routing Policy ... 26-4 Figure 26-6 Menu 3.2: TCP/IP and DHCP Ethernet Setup ...
Page 24 ZyWALL 10~100 Series Internet Security Gateway Figure 29-10 Menu 27.1.1.2: Manual Setup ...29-22 Figure 30-1 Menu 27.2: SA Monitor ...30-1 xxiv List of Figures...
Page 25 Table 6-6 Wireless LAN Setup Menu Fields... 6-12 Table 7-1 Wireless LAN... 7-3 Table 7-2 Wireless LAN 802.1X Authentication ... 7-6 Table 7-3 Authentication RADIUS ... 7-7 Table 7-4 Local User Database ... 7-10 Table 7-5 WLAN MAC Address Filter ...7-11 List of Tables...
Page 26 Table 10-4 Remote Node Network Layer Options Menu Fields...10-7 Table 10-5 Remote Node Network Layer Options Menu Fields...10-9 Table 10-6 Menu 11.1: Remote Node Profile (Traffic Redirect Field) ...10-14 Table 10-7 Traffic Redirect Setup...10-14 Table 11-1 IP Static Route Menu Fields ...11-3 Table 12-1 NAT Definitions...12-1...
Page 27 Table 17-2 Content Filter: Free ... 17-6 Table 17-3 Content Filter: iCard ... 17-7 Table 17-4 Content Filter: List Update ... 17-9 Table 17-5 Content Filter: Exempt Zone... 17-10 Table 17-6 Content Filter: Customize ... 17-12 Table 17-7 Content Filter: Domain Name... 17-14 Table 18-1 View Log...
Page 28: Chapter 31 Troubleshooting
Table 29-7 Menu 27.1: IPSec Summary ...29-8 Table 29-8 Menu 27.1.1: IPSec Setup...29-12 Table 29-9 Menu 27.1.1.1: IKE Setup ...29-19 Table 29-10 Active Protocol: Encapsulation and Security Protocol ...29-21 Table 29-11 Menu 27.1.1.2: Manual Setup...29-22 Table 30-1 Menu 27.2: SA Monitor...30-2 Table 31-1 Troubleshooting the Start-Up of your ZyWALL...
Page 29 ZyWALL 10~100 Series Internet Security Gateway Table 31-4 Troubleshooting the WAN interface...3 Table 31-5 Troubleshooting Internet Access ...3 Table 31-6 Troubleshooting the Password ...4 Table 31-7 Troubleshooting Telnet...4 List of Tables xxix...
Page 30: Related Documentation
This manual may refer to the ZyWALL 10/10W/50/100 Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10, 10W, 50 and 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 to see what features are specific to your ZyWALL model.
Page 31 Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem. • For brevity’s sake, we will use “e.g.” as a shorthand for “for instance” and “i.e.” for “that is” or “in other words” throughout this manual. Preface ZyWALL 10~100 Series Internet Security Gateway xxxi...
Page 33 Overview Part I: Overview This part covers Getting to Know Your ZyWALL and Hardware Installation.
Page 35: Table 1-1 Model Specific Features
This chapter introduces the main features and applications of the ZyWALL. The ZyWALL 10/10W/50/100 Internet Security Gateway The ZyWALL 10/10W/50/100 are the ideal secure gateways for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL 10/10W/50/100 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 36: Physical Features
Physical Features Auto-negotiating 10/100 Mbps Ethernet LAN The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet. Auto-sensing 10/100 Mbps Ethernet LAN The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable. This feature is not available on all models.
Page 37: Time And Date
ZyWALL 10~100 Series Internet Security Gateway 10/100 Mbps Ethernet WAN The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router. This feature is not available on all models. Backup WAN or Auxiliary The Dial Backup or Auxiliary port can be used in reserve as a traditional dial-up connection when/if ever the broadband connection to the WAN port fails.
Page 38: Content Filtering
ZyWALL 10~100 Series Internet Security Gateway Firewall The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN.
Page 39: Call Scheduling
ZyWALL 10~100 Series Internet Security Gateway Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. This feature is not available on all models.
Page 40: Traffic Redirect
SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network.
Page 41: Applications For The Zywall
LAN port: The auto-negotiating 10/100 Mbps Ethernet LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet. Attach computers that are to be secured from the outside world to this port. These computers will have access to e-mail, FTP and the World Wide Web but incoming connections (from the Internet) are only allowed if the connection is originally initiated from the LAN computer or a firewall rule has been specifically configured to allow access.
Page 42: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem
ZyWALL 10~100 Series Internet Security Gateway Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem Getting to Know Your ZyWALL...
Page 43: Figure 1-2 Vpn Application
ZyWALL 10~100 Series Internet Security Gateway 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. Figure 1-2 VPN Application...
Page 45: Chapter 2 Hardware Installation
ZyWALL 10~100 Series Internet Security Gateway Chapter 2 Hardware Installation This chapter explains the LEDs and ports as well as how to connect the hardware. Refer to Table 1-1 for a list of hardware features that are specific to individual models.
Page 46: Figure 2-4 Zywall 10 Front Panel
LAN 10M Green Orange 100M DMZ 10M Green Figure 2-4 ZyWALL 10 Front Panel Table 2-1 LED Descriptions STATUS The ZyWALL is turned on. The ZyWALL is turned off. The ZyWALL is not ready or failed. The ZyWALL is ready and running.
Page 47: Zywall Rear Panel And Connections
Orange ZyWALL Rear Panel and Connections The following figure shows the rear panels of the ZyWALL. Hardware Installation ZyWALL 10~100 Series Internet Security Gateway Table 2-1 LED Descriptions STATUS The 100M DMZ is not connected. The ZyWALL is connected to a 100Mbps DMZ.
Page 48: Figure 2-5 Zywall 100 Rear Panel
ZyWALL 10~100 Series Internet Security Gateway Figure 2-5 ZyWALL 100 Rear Panel Figure 2-6 ZyWALL 50 Rear Panel Hardware Installation...
Page 49: Figure 2-7 Zywall 10W Rear Panel
ZyWALL 10~100 Series Internet Security Gateway Figure 2-7 ZyWALL 10W Rear Panel Figure 2-8 ZyWALL 10 Rear Panel This section outlines how to connect your ZyWALL. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
Page 50: Connecting The Console Port
If you have more than one public server, then you must use an external hub. Connect the 10/100M DMZ port on the ZyWALL to a port on the hub using a straight-through Ethernet cable. This feature is not available on all models.
Page 51: Table 2-2 Lan Port Connections With An Uplink Button
PCMCIA card from the slot. Slide the 64-pin connector end of the PCMCIA wireless LAN card into the slot. See Figure 2-9 for an example. Hardware Installation ZyWALL 10~100 Series Internet Security Gateway A COMPUTER Straight-through Ethernet cable Crossover Ethernet cable...
Page 52: Additional Installation Requirements
Do not force, bend or twist the wireless LAN card. Figure 2-9 Inserting the Wireless LAN Card 2.2.7 Connecting the Power to your ZyWALL Connect the female end of the included power adaptor or power cord to the port labeled POWER on the rear panel of your ZyWALL.
Page 53: Additional Installation Requirements For Using 802.1X
ZyWALL 10~100 Series Internet Security Gateway After the ZyWALL is properly set up, you can make future changes to the configuration through telnet connections. To keep the ZyWALL operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment.
Page 55 Initial Setup and Configuration Part II: Initial Setup and Configuration This part covers Initial Setup, SMT Menu 1 General Setup, WAN and Dial Backup Setup, LAN Setup, Wireless LAN Setup, DMZ Setup, and Internet Access.
Page 57: Chapter 3 Initial Setup
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 58: Navigating The Smt Interface
Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. OPERATION KEYSTROKES Move down to...
Page 59: Table 3-2 Main Menu Summary
Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3.
Page 60 MENU TITLE Internet Access Setup DMZ Setup (This feature is not available on all models.) Remote Node Setup Static Routing Setup NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance IP Routing Policy Setup Schedule Setup VPN /IPSec Setup Exit Table 3-2 Main Menu Summary Configure your Internet Access setup (Internet address, gateway, login,...
Page 61: Figure 3-4 Getting Started And Advanced Applications Smt Menus
ZyWALL 10~100 Series Internet Security Gateway 3.2.3 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 3-4 Getting Started and Advanced Applications SMT Menus Initial Setup...
Page 62: Figure 3-5 Advanced Management Smt Menus
ZyWALL 10~100 Series Internet Security Gateway Figure 3-5 Advanced Management SMT Menus Initial Setup...
Page 63: Changing The System Password
Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “X” for each character you type. Initial Setup ZyWALL 10~100 Series Internet Security Gateway Menu 23 - System Password Old Password= ?
Page 64: Resetting The Zywall
3. While pressing the RESET button, turn the ZyWALL on. 4. Continue to hold the RESET button. The SYS LED will begin to blink and flicker very quickly after about 10 or 15 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.
Page 65: Chapter 4 Smt Menu 1 - General Setup
The ZyWALL supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service. SMT Menu 1 – General Setup ZyWALL 10~100 Series Internet Security Gateway SMT Menu 1 - General Setup Chapter 4...
Page 66: Figure 4-1 Menu 1: General Setup
4.2.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use for example, www.yourhost.dyndns.org and still reach your hostname. General Setup Step 1.
Page 67: Figure 4-2 Configure Dynamic Dns
EMAIL Enter your e-mail address. SMT Menu 1 – General Setup ZyWALL 10~100 Series Internet Security Gateway Menu 1.1 - Configure Dynamic DNS Press ENTER to confirm or ESC to cancel: Figure 4-2 Configure Dynamic DNS...
Page 68 Table 4-2 Configure Dynamic DNS Menu Fields FIELD USER Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider.
Page 69: Figure 5-1 Mac Address Cloning In Wan Setup
Figure 5-1 MAC Address Cloning in WAN Setup The following table contains instructions on how to configure your WAN setup. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway WAN and Dial Backup Setup Menu 2 - WAN Setup...
Page 70: Table 5-1 Mac Address Cloning In Wan Setup
Table 5-1 MAC Address Cloning in WAN Setup FIELD MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field.
Page 71: Figure 5-2 Menu 2: Dial Backup Setup
[SPACE BAR] to select Yes and then press Setup [ENTER] to go to Menu 2.1: Advanced Setup. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default...
Page 72: Advanced Wan Setup
FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Advanced WAN Setup Consult the manual of your WAN device connected to your Dial Backup port for 5.5.1 AT Command Strings For regular telephone lines, the default “Dial”...
Page 73: Figure 5-3 Menu 2.1 Advanced Wan Setup
AT response string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 2.1 - Advanced WAN Setup Call Control: Dial Timeout(sec)= 60...
Page 74: Backup Remote Node Setup
Table 5-3 Advanced WAN Port Setup: AT Commands Fields FIELD Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. Table 5-4 Advanced WAN Port Setup: Call Control Parameters FIELD Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping).
Page 75: Figure 5-4 Menu 11.1 Remote Node Profile (Backup Isp)
Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Edit PPP Options= No Rem IP Addr= 0.0.0.0 Edit IP= No...
Page 76 Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT Options script for the dial backup remote node (Menu 11.4 - Remote Node Script). See section 5.10 for more information. Telco Option Allocated Enter the maximum number of minutes that this remote node may be Budget called within the time period configured in the Period field.
Page 77: Editing Ppp Options
Enter the time period (in hours) for how often the budget should be reset. For example, to allow calls to this remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Page 78: Figure 5-5 Menu 11.2 - Remote Node Ppp Options
Standard PPP. Compression Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. 5-10 Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL:...
Page 79: Figure 5-7 Menu 11.3: Remote Node Network Layer Options
Enter your WAN IP address here if you know it (static). This is the address assigned to your local ZyWALL, not the remote router. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0...
Page 80: Editing Login Script
“Press ENTER to Confirm...” to save your configuration and return to menu 11, or press [ESC] at any time to cancel. 5.10 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyWALL provides a script facility for this purpose.
Page 81 60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway 5-13...
Page 82: Figure 5-8 Menu 11.4 - Remote Node Setup Script
Active= No Set 1: Expect= Send= Set 2: Expect= Send= Set 3: Expect= Send= Set 4: Expect= Send= Figure 5-8 Menu 11.4 – Remote Node Setup Script The following table describes each field in Menu 11.4 – Remote Node Setup Script. Table 5-7 Remote Node Script Menu Fields FIELD Active...
Page 83: Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet)
Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet) Figure 5-10 Menu 11.5: Remote Node Filter (PPPoE or PPTP) WAN and Dial Backup Setup ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter...
Page 85: Figure 6-1 Menu 3: Lan Setup
LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. LAN Setup ZyWALL 10~100 Series Internet Security Gateway available on the ZyWALL 10W and 100 models. Menu 3 - LAN Setup 1.
Page 86: Figure 6-2 Menu 3.1: Lan Port Filter Setup
TCP/IP and LAN DHCP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 6.3.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: 1.
Page 87: Ip Address And Subnet Mask
However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: LAN Setup ZyWALL 10~100 Series Internet Security Gateway 192.168.1.2 - 192.168.1.32; 192.168.1.65 - 192.168.1.254 255.255.255.0 192.168.1.1 (ZyWALL LAN IP Address)
Page 88: Rip Setup
- it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed Table 6-2 Private IP Address Ranges 10.0.0.0 — 10.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 — 192.168.255.255...
Page 89: Figure 6-3 Physical Network
ZyWALL 10~100 Series Internet Security Gateway information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255.
Page 90: Figure 6-5 Menu 3: Tcp/Ip And Dhcp Setup
Figure 6-5 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Configuration: TCP/IP Setup:...
Page 91: Table 6-3 Dhcp Ethernet Setup Menu Fields
Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. LAN Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION DESCRIPTION EXAMPLE Server 192.168.1.33...
Page 92: Ip Alias Setup
FIELD RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are: Both, In Only, Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group.
Page 93: Figure 6-7 Menu 3.2.1: Ip Alias Setup
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. LAN Setup ZyWALL 10~100 Series Internet Security Gateway Menu 3.2.1 - IP Alias Setup IP Alias 1= No...
Page 94: Wireless Lan
AP, it might not know that the other station is already using the wireless medium. When these two stations send data at the same time, it might collide when arriving simultaneously at the AP. The collision will almost certainly result in a loss of messages for both stations. 6-10 LAN Setup...
Page 95: Figure 6-8 Rts Threshold
WEP is enabled. See section 7.2 for more information about configuring WEP data encryption. Wireless LAN Setup Use menu 3.5 to set up your ZyWALL as the wireless access point. LAN Setup ZyWALL 10~100 Series Internet Security Gateway Figure 6-8 RTS Threshold 6-11...
Page 96: Figure 6-9 Menu 3.5 - Wireless Lan Setup
See section 7.2 for instructions on WEP and section 7.5 for instructions on configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 97 When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The ZyWALL LAN Ethernet and wireless ports can transparently communicate with LAN Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION each other (transparent bridge). EXAMPLE...
Page 99: Figure 7-1 Zywall Wireless Security Levels
WEP key for data encryption and decryption. For wireless LAN setup, refer to section 6.6. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Wireless LAN Security Setup available on the ZyWALL 10W and 100 models.
Page 100: Figure 7-2 Wireless Lan
ZyWALL 10~100 Series Internet Security Gateway Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. In order to configure and enable WEP encryption; click Advanced, Wireless and the Wireless tab to the display the Wireless LAN screen.
Page 101: Table 7-1 Wireless Lan
If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal digits ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters Key 1 to (ASCII string) or 26 hexadecimal digits ("0-9", "A-F") preceded by 0x for each key.
Page 102: Types Of Radius Messages
• Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your ZyWALL acts as a message relay between the wireless client and the network RADIUS server.
Page 103: Figure 7-3 Sequence For Eap Authentication
Otherwise, no traffic is allowed. 7.3.4 Enable EAP Authentication on Your ZyWALL Click Advanced, Wireless and the 802.1X tab to the display the Wireless LAN 802.1X Authentication screen. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway...
Page 104: Figure 7-4 Wireless Lan 802.1X Authentication
Figure 7-4 Wireless LAN 802.1X Authentication The following table describes the fields in this screen. Table 7-2 Wireless LAN 802.1X Authentication FIELD Select Force Authorized, Force UnAuthorized or Auto from the drop-down list Authentication Control box. Select Auto to authenticate all wireless clients before they can access the wired network.
Page 105: Figure 7-5 Authentication Radius
ZyWALL. Server Address Enter the IP address of the external authentication server in dotted decimal notation. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Figure 7-5 Authentication RADIUS Table 7-3 Authentication RADIUS DESCRIPTION EXAMPLE 10.11.12.13...
Page 106: Local User Authentication
RADIUS server. Click Advanced, Wireless and the Local User Database tab to the display the following screen (some of the screen’s blank rows are not shown). Table 7-3 Authentication RADIUS DESCRIPTION EXAMPLE 1812 10.11.12.13 1813 Wireless LAN Security Setup...
Page 107: Figure 7-6 Local User Database
ZyWALL 10~100 Series Internet Security Gateway Figure 7-6 Local User Database Wireless LAN Security Setup...
Page 108: Table 7-4 Local User Database
MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication. Click Advanced, Wireless and the MAC Filter tab to the display the Wireless LAN MAC Filter screen. 7-10 Table 7-4 Local User Database DESCRIPTION...
Page 109: Figure 7-7 Wlan Mac Address Filter
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are MAC Address allowed or denied access to the ZyWALL in these address fields. Wireless LAN Security Setup ZyWALL 10~100 Series Internet Security Gateway Figure 7-7 WLAN MAC Address Filter Table 7-5 WLAN MAC Address Filter DESCRIPTION...
Page 110 ZyWALL 10~100 Series Internet Security Gateway Table 7-5 WLAN MAC Address Filter FIELD DESCRIPTION Click Apply to save these settings back to the ZyWALL. Click Reset to start this screen afresh. 7-12 Wireless LAN Security Setup...
Page 111: Chapter 8 Dmz Setup
This chapter describes how to configure the ZyWALL 100’s DMZ using Menu 5: DMZ Setup. Introduction The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 112: Figure 8-2 Menu 5.1: Dmz Port Filter Setup
DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. This feature is not available on all models. Figure 8-2 Menu 5.1: DMZ Port Filter Setup TCP/IP Setup 8.3.1 IP Address For more detailed information about RIP setup, IP Multicast and IP alias, please refer to the LAN chapter.
Page 113: Figure 8-4 Menu 5.2: Tcp/Ip Setup
[SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 5.2.1 - IP Alias Setup, as shown next. DMZ Setup ZyWALL 10~100 Series Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup:...
Page 114: Figure 8-5 Menu 5.2.1: Ip Alias Setup
Press Space Bar to Toggle. Refer to Table 6-5 for instructions on configuring IP Alias parameters. Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A...
Page 115: Chapter 9 Internet Access
ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Internet Access ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard...
Page 116 Table 9-1 Menu 4: Internet Access Setup Menu Fields FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
Page 117: Figure 9-2 Internet Access Setup (Pptp)
Idle Timeout This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server. Internet Access ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A...
Page 118: Figure 9-3 Internet Access Setup (Pppoe)
9.1.4 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius).
Page 119: Table 9-3 New Fields In Menu 4 (Pppoe) Screen
See the firewall chapters for more information on the firewall. Internet Access ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION originates from the Internet.
Page 121: Advanced Applications
Advanced Applications Part III: Advanced Applications This part covers Remote Node Setup, IP Static Route Setup and Network Address Translation.
Page 123: Chapter 10 Remote Node Setup
Remote Node Setup This chapter shows you how to configure a remote node. Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ Enter Node # to Edit: Figure 10-1 Menu 11 Remote Node Setup Chapter 10 10-1...
Page 124: Remote Node Profile
My Password= N/A Server IP= N/A Press ENTER to Confirm or ESC to Cancel: Figure 10-2 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD Rem Node Enter a descriptive name for the remote node. This field can be up Name to eight characters.
Page 125: Pppoe Encapsulation
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 10.2.2 PPPoE Encapsulation Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Table 10-1 Fields in Menu 11.1 DESCRIPTION EXAMPLE...
Page 126: Figure 10-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
My Password= ******** Authen= CHAP/PAP Press Space Bar to Toggle. Figure 10-3 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor’s implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
Page 127: Table 10-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
This field is the time period that the budget should be reset. For example, if we are allowed to call this remote node for a maximum of 10 minutes every hour, then the Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour).
Page 128: Figure 10-4 Menu 11.1: Remote Node Profile For Pptp Encapsulation
Connection ID/Name= Press Space Bar to Toggle. Figure 10-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation The next table shows how to configure fields in menu 11.1 not previously discussed above. Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation)
Page 129: Editing Tcp/Ip Options (With Ethernet Encapsulation)
Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 10-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation The next table gives you instructions about configuring remote node network layer options.
Page 130 ZyWALL 10~100 Series Internet Security Gateway Table 10-4 Remote Node Network Layer Options Menu Fields FIELD Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.
Page 131: Figure 10-6 Menu 11.3: Remote Node Network Layer Options For Pptp Encapsulation
11.1, press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 10-6 Menu 11.3: Remote Node Network Layer Options for PPTP Encapsulation The next table gives you instructions about configuring remote node network layer options.
Page 132: Table 10-5 Remote Node Network Layer Options Menu Fields
ZyWALL 10~100 Series Internet Security Gateway Table 10-5 Remote Node Network Layer Options Menu Fields FIELD My WAN Addr Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 133: Remote Node Filter
For more information on defining the filters, please refer to the Filters chapter. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets. Figure 10-7 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter...
Page 134: Traffic Redirect
ZyWALL 10~100 Series Internet Security Gateway Figure 10-8 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.5 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.
Page 135: Figure 10-10 Traffic Redirect Lan Setup
My Login= N/A My Password= N/A Server IP= N/A Figure 10-11 Menu 11.1: Remote Node Profile To configure traffic redirect properties, press [SPACE BAR] to select Yes in the Edit Traffic Redirect field and then press [ENTER]. Remote Node Setup...
Page 136: Figure 10-12 Menu 11.6: Traffic Redirect Setup
ZyWALL 10~100 Series Internet Security Gateway Table 10-6 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature. Redirect Select Yes and press [ENTER] to configure Menu 11.6 —...
Page 137 When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Remote Node Setup ZyWALL 10~100 Series Internet Security Gateway Table 10-7 Traffic Redirect Setup DESCRIPTION EXAMPLE 0.0.0.0...
Page 139: Chapter 11 Ip Static Route Setup
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.
Page 140: Ip Static Route Setup
ZyWALL 10~100 Series Internet Security Gateway 11.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12. 1. Figure 11-2 Menu 12: IP Static Route Setup (ZyWALL 10W) Now, enter the index number of the static route that you want to configure.
Page 141: Figure 11-3 Menu 12. 1: Edit Ip Static Route
(see the Metric section in the WAN and Dial Backup Setup chapter). The smaller the number, the higher priority the route has. IP Static Route Setup ZyWALL 10~100 Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1...
Page 142 ZyWALL 10~100 Series Internet Security Gateway FIELD Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 143: Table 12-1 Nat Definitions
This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. ZyWALL 10~100 Series Internet Security Gateway This chapter discusses how to configure NAT on the ZyWALL. Table 12-1 NAT Definitions...
Page 144: What Nat Does
ZyWALL 10~100 Series Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 145: Figure 12-1 How Nat Works
ZyWALL 10~100 Series Internet Security Gateway Figure 12-1 How NAT Works 12-3...
Page 146: Figure 12-2 Nat Application With Ip Alias
ZyWALL 10~100 Series Internet Security Gateway 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 147: Table 12-2 Nat Mapping Types
Port numbers do not change for One-to-One and Many-One-to-One NAT mapping The following table summarizes these types. TYPE One-to-One Many-to-One (SUA/PAT) Many-to-Many Overload ZyWALL 10~100 Series Internet Security Gateway types. Table 12-2 NAT Mapping Types IP MAPPING ILA1 IGA1 ILA1...
Page 148: Using Nat
ZyWALL 10~100 Series Internet Security Gateway TYPE Many-One-to-One Server 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 12.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 149: Figure 12-3 Menu 4: Applying Nat For Internet Access
Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options. ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup...
Page 150: Nat Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None...
Page 151: Figure 12-5 Menu 15: Nat Setup
Figure 12-6 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 12.2.1). The fields in this menu cannot be changed. ZyWALL 10~100 Series Internet Security Gateway Menu 15 — NAT Setup Address Mapping Sets...
Page 152: Figure 12-7 Menu 15.1.255: Sua Address Mapping Rules
ZyWALL 10~100 Series Internet Security Gateway Set Name= SUA Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules The following table explains the fields in this screen.
Page 153: Figure 12-8 Menu 15.1.1: First Set
Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ZyWALL 10~100 Series Internet Security Gateway Table 12-4 SUA Address Mapping Rules DESCRIPTION [ENTER] are the bottom of the screen.
Page 154 ZyWALL 10~100 Series Internet Security Gateway ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9.
Page 155: Figure 12-9 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. ZyWALL 10~100 Series Internet Security Gateway address. Menu 15.1.1.1 Address Mapping Rule...
Page 156: Table 12-7 Services & Port Numbers
(for example both FTP and web service), it might be better to specify a range of port numbers. Entry 12 (port 1026) is non-editable (see Figure 12-10). In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server.
Page 157: Configuring A Server Behind Nat
Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. ZyWALL 10~100 Series Internet Security Gateway Table 12-7 Services & Port Numbers...
Page 158: Figure 12-10 Menu 15.2: Nat Server Setup
ZyWALL 10~100 Series Internet Security Gateway Rule --------------------------------------------------- Figure 12-10 Menu 15.2: NAT Server Setup Figure 12-11 Multiple Servers Behind NAT Example 12-16 Menu 15.2 - NAT Server Setup Start Port No. End Port No. Default Default 1026 1026 Press ENTER to Confirm or ESC to Cancel: IP Address 0.0.0.0...
Page 159: General Nat Examples
In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 12-13 Menu 4: Internet Access & NAT Example ZyWALL 10~100 Series Internet Security Gateway Figure 12-12 NAT Example 1 Menu 4 - Internet Access Setup...
Page 160: Figure 12-14 Nat Example 2
ZyWALL 10~100 Series Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
Page 161: Figure 12-15 Menu 15.2: Specifying An Inside Server
NAT on the LAN. The example situation looks somewhat like this: ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No.
Page 162: Figure 12-16 Nat Example 3
Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 12-18).
Page 163: Figure 12-17 Example 3: Menu 11.3
Local IP: Start= 192.168.1.10 Global IP: Start= 10.132.50.1 Press Space Bar to Toggle. ZyWALL 10~100 Series Internet Security Gateway Figure 12-17 Example 3: Menu 11.3 Menu 15.1.1.1 Address Mapping Rule = N/A = N/A Press ENTER to Confirm or ESC to Cancel: Figure 12-18 Example 3: Menu 15.1.1.1...
Page 164: Figure 12-19 Example 3: Final Menu 15.1.1
ZyWALL 10~100 Series Internet Security Gateway Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 12-19 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN.
Page 165: Figure 12-21 Nat Example 4
ZyWALL 10~100 Series Internet Security Gateway 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 166: Trigger Port Forwarding
ZyWALL 10~100 Series Internet Security Gateway Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 12-22 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Page 167: Figure 12-24 Trigger Port Forwarding Process: Example
ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3. The Real Audio server responds using a port number ranging between 6970-7170. 4. The ZyWALL forwards the traffic to Jane’s computer IP address. ZyWALL 10~100 Series Internet Security Gateway 12-25...
Page 168: Figure 12-25 Menu 15.3-Trigger Port Setup
ZyWALL 10~100 Series Internet Security Gateway 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 169: Table 12-8 Menu 15.3-Trigger Port Setup Description
Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE...
Page 171: Firewall And Content Filters
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and gives example firewall rules and an overview of content filtering.
Page 173: Chapter 13 Firewalls
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 What Is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 174: Stateful Inspection Firewalls
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 175: Figure 13-1 Zywall Firewall Application
ZyWALL 10~100 Series Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 176: Types Of Dos Attacks
for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: 13.4.2 Types of DoS Attacks There are four types of DoS attacks: 1.
Page 177: Figure 13-2 Three-Way Handshake
(which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Firewalls ZyWALL 10~100 Series Internet Security Gateway Figure 13-2 Three-Way Handshake Figure 13-3 SYN Flood 13-5...
Page 178: Figure 13-4 Smurf Attack
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
Page 179: Table 13-3 Legal Netbios Commands
The ZyWALL uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyWALL’s stateful inspection allows Firewalls ZyWALL 10~100 Series Internet Security Gateway Table 13-3 Legal NetBIOS Commands MESSAGE:...
Page 180: Figure 13-5 Stateful Inspection
all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.
Page 181: Stateful Inspection And The Zywall
Allow certain types of traffic from the Internet to specific hosts on the LAN. iii. Allow access to a Web server to everyone but competitors. Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-9...
Page 182: Tcp Security
ZyWALL 10~100 Series Internet Security Gateway These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
Page 183: Upper Layer Protocols
5. For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6. Protect against IP spoofing by making sure the firewall is active. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-11...
Page 184: Security In General
9. If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers. 10. If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable.
Page 185 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. Firewalls ZyWALL 10~100 Series Internet Security Gateway 13-13...
Page 186 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
Page 187: Figure 14-1 Menu 21: Filter And Firewall Setup
Figure 14-1 Menu 21: Filter and Firewall Setup Introducing the ZyWALL Firewall ZyWALL 10~100 Series Internet Security Gateway This chapter shows you how to get started with the ZyWALL firewall. Menu 21 - Filter and Firewall Setup 1.
Page 188: Figure 14-2 Menu 21.2: Firewall Setup
14.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Page 189: Web Configurator Login And Main Menu Screens
Click Advanced, Firewall and then the Summary tab. Enable (or activate) the firewall by clicking the Enable Firewall check box as seen in the following screen. Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Chapter 15 15-1...
Page 190: Figure 15-1 Enabling The Firewall (Zywall 100)
Figure 15-1 Enabling the Firewall (ZyWALL 100) 15.2.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 15-2 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Rule Config screen (see Figure 16-4) When an event generates an alert, a message is immediately sent to an e-mail account specified by...
Page 191: Threshold Values
ZyWALL 10~100 Series Internet Security Gateway determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.
Page 192 threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
Page 193: Figure 15-2 Attack Alert
Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Figure 15-2 Attack Alert Table 15-1 Attack Alert DESCRIPTION DEFAULT VALUES 80 existing half-open sessions.
Page 194 The above values causes the ZyWALL to start deleting half- open sessions when the number of existing half-open sessions rises above 100, and to stop deleting half-open sessions with the number of existing half-open sessions drops below 80. 10 existing half-open TCP sessions.
Page 195 When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. Using the ZyWALL Web Configurator ZyWALL 10~100 Series Internet Security Gateway Table 15-1 Attack Alert DESCRIPTION...
Page 197: Rules Overview
This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN • DMZ to DMZ/ZyWALL Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Creating Custom Rules • WAN to LAN • WAN to WAN/ZyWALL •...
Page 198: Rule Logic Overview
This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so. If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network.
Page 199: Security Ramifications
Destination Address What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway 16-3...
Page 200: Figure 16-1 Lan To Wan Traffic
ZyWALL 10~100 Series Internet Security Gateway 16.3 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. Rules for the DMZ work in a similar fashion. LAN to LAN/ZyWALL, WAN to WAN/ZyWALL and DMZ to DMZ/ZyWALL rules apply to packets coming in on the associated interface (LAN, WAN, or DMZ respectively).
Page 201: Figure 16-2 Wan To Lan Traffic
ZyWALL 10~100 Series Internet Security Gateway See the following figure. Figure 16-2 WAN to LAN Traffic 16.4 Rule Summary Click Advanced, Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed.
Page 202: Figure 16-3 Firewall Rules Summary: First Screen (Zywall100)
Figure 16-3 Firewall Rules Summary: First Screen (ZyWALL100) The following table describes the fields in the firewall summary screen. Table 16-1 Firewall Rules Summary: First Screen FIELD Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 203 (Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 16-7...
Page 204: Table 16-2 Predefined Services
Table 16-1 Firewall Rules Summary: First Screen FIELD Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 205 MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) NFS(UDP:2049) Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services DESCRIPTION A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
Page 206 TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) 16-10 Table 16-2 Predefined Services Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 207 Step 2. Click Insert to display this screen and refer to the following table for information on the fields. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services DESCRIPTION Login Host Protocol used for (Terminal Access Controller Access Control System).
Page 208: Figure 16-4 Creating/Editing A Firewall Rule (Zywall100)
ZyWALL 10~100 Series Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule (ZyWALL100) Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to...
Page 209 Matched Packets forwarded? Make your choice from the drop down list box. Note that Block means the firewall silently discards the packet. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION OPTIONS LAN to LAN/ZyWALL LAN to WAN LAN to DMZ...
Page 210: Figure 16-5 Adding/Editing Source And Destination Addresses
FIELD This field determines if a log is created for packets that match the rule, don’t match the rule, both or no log is created. Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched. When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen.
Page 211: Custom Ports
Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range here.
Page 212: Figure 16-6 Creating/Editing A Custom Port
Figure 16-6 Creating/Editing A Custom Port The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 213: Figure 16-7 Firewall Rule Configuration Screen (Zywall100)
Figure 16-7 Firewall Rule Configuration Screen (ZyWALL100) Step 4. Click Any in the Source Address box and then click ScrDelete. Step 5. Click ScrAdd under the Source Address box. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway 16-17...
Page 214: Figure 16-8 Firewall Ip Config Screen
ZyWALL 10~100 Series Internet Security Gateway Step 6. Configure the Firewall IP Config screen as follows and click Apply. Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply.
Page 215: Figure 16-9 Custom Port For Myservice
Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. Creating Custom Rules ZyWALL 10~100 Series Internet Security Gateway Figure 16-9 Custom Port for MyService 16-19...
Page 216: Figure 16-10 Myservice Rule Configuration (Zywall100)
This is the address range of the “MyService” servers. Figure 16-10 MyService Rule Configuration (ZyWALL100) 16-20 Click Apply when finished. This is your “MyService” custom port. Creating Custom Rules...
Page 217: Figure 16-11 Example 3: Rule Summary (Zywall100)
Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 16-11 Example 3: Rule Summary (ZyWALL100)
Page 219: Restrict Web Features
The ZyWALL also allows you to define time periods and days during which content filtering should be enabled. 17.1.4 Configure Categories Click Content on the navigation panel, and then the Categories tab to open the following screen. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Chapter 17 Content Filtering 17-1...
Page 220: Figure 17-1Content Filter: Categories
ZyWALL 10~100 Series Internet Security Gateway LABEL Restricted Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. A tool for building dynamic and active Web pages and distributed object applications. When...
Page 221 Selecting this category excludes pictures or text exposing anyone or anything involved in Sexual Acts explicit sexual acts and or lewd and lascivious behavior. Also includes phone sex ads, dating services, and adult personals, CD-ROM's and videos. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories DESCRIPTION 17-3...
Page 222 ZyWALL 10~100 Series Internet Security Gateway LABEL Selecting this category excludes pictures or descriptive text of anyone or anything which are crudely vulgar or grossly deficient in civility or behavior, or which show scatological Gross Depictions impropriety. Includes such depictions as maiming, bloody figures, or indecent depiction of bodily functions.
Page 223 ZyWALL for the initial free subscription in this page by filling in your personal information in the fields and then clicking Apply. You must fill in all required fields (denoted by an asterisk). Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories DESCRIPTION 17-5...
Page 224: Figure 17-2 Content Filter: Free
LABEL Last Name Type your last name. You may enter up to 31 characters. This is a required field. First Name Type your first name. You may enter up to 31 characters. This is a required field. E-mail Type your e-mail address. You may enter up to 40 characters. This is a required field. Company Type the name of your company.
Page 225: Figure 17-3 Content Filter: Icard
Type your last name. You may enter up to 31 characters (required field). First Name Type your first name. You may enter up to 31 characters (required field). Content Filtering ZyWALL 10~100 Series Internet Security Gateway Figure 17-3 Content Filter: iCard Table 17-3 Content Filter: iCard DESCRIPTION...
Page 226: List Update
LABEL E-mail Type your e-mail address. You may enter up to 40 characters (required field). Company Type the name of your company. You may enter up to 31 characters. Title Type your job title. You may enter up to 31 characters. Country Type your country name.
Page 227: Figure 17-4 Content Filter: List Update
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Figure 17-4 Content Filter: List Update Table 17-4 Content Filter: List Update DESCRIPTION...
Page 228: Exempt Computers
ZyWALL 10~100 Series Internet Security Gateway 17.5 Exempt Computers Click Content on the navigation panel, and then the Exempt Zone tab to open the following screen. Use this screen to include or exclude a range of users on the LAN from content filtering.
Page 229: Customizing
Click Content on the navigation panel, and then the Customize tab to open the following screen. Use this screen to customize the content filter list by adding or removing specific sites from the filter list. Content Filtering ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 17-11...
Page 230: Figure 17-6 Content Filter: Customize
LABEL Filter List Customization Make sure the Enable Filter List Customization check box is selected to make this feature available. Add or remove sites from the Filter List to customize the Content Filter List. Enable Filter List Customization 17-12 Figure 17-6 Content Filter: Customize Table 17-6 Content Filter: Customize Select this check box to allow Trusted Domain web sites and block Forbidden Domain web sites.
Page 231 Delete Forbidden Domain to delete it from that list. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-6 Content Filter: Customize DESCRIPTION 17-13...
Page 232: Figure 17-7 Content Filter: Domain Name
17.7 Domain Name Click Content on the navigation panel, and then the Domain Name tab to open the following screen. Use this screen to configure the ZyWALL to block Web sites containing keywords in their URLs. For example, if you enable the keyword "bad", the ZyWALL blocks all sites containing this keyword, for example, the ZyWALL blocks URL http://www.website.com/bad.html, even if it is not included in the Filter List.
Page 233 Highlight a keyword in the lower box and click Delete Keyword to remove it. The Delete Keyword keyword disappears from the text box after you click Apply. Reset Click Reset to begin configuring this screen afresh. Content Filtering ZyWALL 10~100 Series Internet Security Gateway Table 17-7 Content Filter: Domain Name DESCRIPTION 17-15...
Page 235 Logs, Filter Configuration, and SNMP Configuration Part V: Logs, Filter Configuration, and SNMP Configuration This part provides information and configuration instructions for the logs, filters, and SNMP.
Page 237: Chapter 18 Centralized Logs
ZyWALL 10~100 Series Internet Security Gateway Chapter 18 Centralized Logs This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendices for example log message explanations and how to view the logs via the SMT command interface.
Page 238: Figure 18-1 View Log
ZyWALL 10~100 Series Internet Security Gateway FIELD Display The categories that you select in the Log Settings page (see section 18.2) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 239: Log Settings
Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send. Centralized Logs ZyWALL 10~100 Series Internet Security Gateway Table 18-1 View Log DESCRIPTION...
Page 240: Figure 18-2 Log Settings
ZyWALL 10~100 Series Internet Security Gateway Figure 18-2 Log Settings 18-4 Centralized Logs...
Page 241: Table 18-2 Log Settings Screen
Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to your UNIX manual for more information. Send Log Centralized Logs ZyWALL 10~100 Series Internet Security Gateway Table 18-2 Log Settings Screen DESCRIPTION 18-5...
Page 242 ZyWALL 10~100 Series Internet Security Gateway FIELD Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: If you select Weekly or Daily, specify a time of day when the E-mail should be sent.
Page 243: Chapter 19 Filter Configuration
ZyWALL 10~100 Series Internet Security Gateway Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 244: Figure 19-1 Outgoing Packet Filtering Process
ZyWALL 10~100 Series Internet Security Gateway Outgoing Data Packet Match Drop packet Figure 19-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets.
Page 245: Figure 19-2 Filter Rule Process
ZyWALL 10~100 Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule...
Page 246: Configuring A Filter Set
ZyWALL 10~100 Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 247: Table 19-1 Abbreviations Used In The Filter Rules Summary Menu
“F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Filter Configuration ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 19-5...
Page 248: Configuring A Filter Rule
ZyWALL 10~100 Series Internet Security Gateway ABBREVIATION Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Page 249: Figure 19-6 Menu 21.1.1.1: Tcp/Ip Filter Rule
Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule...
Page 250 ZyWALL 10~100 Series Internet Security Gateway Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Enter the IP mask to apply to the Destination: IP Addr. IP Mask Port # Enter the destination port of the packets that you wish to filter.
Page 251 ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following figure illustrates the logic flow of an IP filter. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION OPTIONS None...
Page 252: Figure 19-7 Executing An Ip Filter
ZyWALL 10~100 Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port...
Page 253: Figure 19-8 Menu 21.1.4.1: Generic Filter Rule
Figure 19-8 Menu 21.1.4.1: Generic Filter Rule The following table describes the fields in the Generic Filter Rule menu. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.4.1 - Generic Filter Rule Filter #: 4,1 Filter Type= Generic Filter Rule...
Page 254: Table 19-4 Generic Filter Rule Menu Fields
ZyWALL 10~100 Series Internet Security Gateway Table 19-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Use [SPACE BAR] and then [ENTER] to select a rule type.
Page 255: Example Filter
Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Figure 19-9 Telnet Filter Example 19-13...
Page 256: Figure 19-10 Example Filter: Menu 21.1.3.1
ZyWALL 10~100 Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Menu 21.1.3.1 - TCP/IP Filter Rule...
Page 257: Figure 19-11 Example Filter Rules Summary: Menu 21.1.3
Step 4. Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.5. Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Filter Rules M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the...
Page 258: Filter Types And Nat
ZyWALL 10~100 Series Internet Security Gateway 19.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets.
Page 259: Applying A Filter And Factory Defaults
You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the ZyWALL and output filter sets filter Filter Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets:...
Page 260: Figure 19-14Filtering Dmz Traffic
ZyWALL 10~100 Series Internet Security Gateway outgoing traffic from the ZyWALL. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. The DMZ port is not available on all models.
Page 261: Chapter 20 Snmp Configuration
ZyWALL 10~100 Series Internet Security Gateway Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 262: Figure 20-1 Snmp Management Model
ZyWALL 10~100 Series Internet Security Gateway Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 263: Supported Mibs
Get Community Type the Get community, which is the password for the incoming Get- and GetNext requests from the management station. SNMP Configuration ZyWALL 10~100 Series Internet Security Gateway Menu 22 - SNMP Configuration Get Community= public Set Community= public Trusted Host= 0.0.0.0...
Page 264: Table 20-2 Snmp Traps
ZyWALL 10~100 Series Internet Security Gateway Table 20-1 SNMP Configuration Menu Fields FIELD Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address.
Page 265: Configuration File Maintenance
System Information and Diagnosis and Firmware and Configuration File Maintenance Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part provides information on system information and diagnosis and maintaining the firmware and configuration files.
Page 267: Chapter 21 System Information & Diagnosis
ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway System Information & Diagnosis Menu 24 - System Maintenance System Status...
Page 268: Figure 21-2 Menu 24.1: System Maintenance: Status (Zywall 100)
The following table describes the fields present in Menu 24.1 - System Maintenance - Status. These fields are READ-ONLY and meant for diagnostic purposes. The upper right corner of the screen shows the time and date according to the format you set in menu 24.10. Table 21-1 System Maintenance: Status Menu Fields...
Page 269: Figure 21-3 Menu 24.2: System Information And Console Port Speed
From this menu you have two choices as shown in the next figure: Figure 21-3 Menu 24.2: System Information and Console Port Speed System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION Menu 24.2 - System Information and Console Port Speed 1.
Page 270: Figure 21-4 Menu 24.2.1: System Maintenance: Information (Zywall 10W)
ZyWALL 10~100 Series Internet Security Gateway 21.2.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Menu 24.2.1 - System Maintenance - Information Figure 21-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W)
Page 271: Log And Trace
Select the first option from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system. System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway Console Port Speed: 115200 Press ENTER to Confirm or ESC to Cancel:...
Page 272: Figure 21-6 Menu 24.3: System Maintenance: Log And Trace
6 Wed Aug 22 21:24:26 2001 PP17 7 Wed Aug 22 21:24:26 2001 PP17 8 Wed Aug 22 21:24:26 2001 PP17 10 Thu Aug 23 08:26:59 2001 PINI -WARN 11 Thu Aug 23 08:26:59 2001 PINI 12 Thu Aug 23 08:27:04 2001 PP17...
Page 273: Figure 21-8 Menu 24.3.2: System Maintenance: Unix Syslog (Zywall 100)
No filters are logged when this field is set to No. Filters with the individual filter Log Filter field set to Yes (Menu 21.x.x) are logged when this field is set to Yes. System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway Menu 24.3.2 - System Maintenance - UNIX Syslog DESCRIPTION...
Page 274: System Information And Diagnosis
ZyWALL 10~100 Series Internet Security Gateway Table 21-3 System Maintenance Menu Syslog Parameters PARAMETER PPP events are logged when this field is set to Yes. PPP log Firewall log When set to Yes, the ZyWALL sends the firewall log to a syslog server.
Page 275: Firewall Log
:520 |UDP|default permit:<2,0>|B 08-01-2000 11:48:39 Local1.Notice |IGMP<2>|default permit:<2,0>|B 08-01-2000 11:48:39 Local1.Notice |IGMP<2>|default permit:<2,0>|B System Information and Diagnosis ZyWALL 10~100 Series Internet Security Gateway dpo=00021]}S04>R01mF 192.168.10.10 RAS: FW 172.21.1.80 192.168.10.10 RAS: FW 192.168.77.88 192.168.10.10 RAS: FW 172.21.1.50 192.168.10.10 RAS: FW 172.21.1.25...
Page 276: Diagnostic
ZyWALL 10~100 Series Internet Security Gateway 21.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
Page 277: Figure 21-10 Menu 24.4: System Maintenance: Diagnostic
From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 21-10 Menu 24.4: System Maintenance: Diagnostic 21.4.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 21-11. LAN DHCP has already been discussed.
Page 278: Figure 21-11 Wan & Lan Dhcp
ZyWALL 10~100 Series Internet Security Gateway The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test...
Page 279: Chapter 22 Firmware And Configuration File Maintenance
ZyWALL 10~100 Series Internet Security Gateway Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 280: Table 22-1 Filename Conventions
ZyWALL 10~100 Series Internet Security Gateway local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Page 281: Figure 22-1 Telnet Into Menu 24.5
Step 7. Enter “quit” to exit the ftp prompt. 22.2.3 Example of FTP Commands from the Command Line Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Press ENTER to Exit: Figure 22-1 Telnet into Menu 24.5 22-3...
Page 282: Figure 22-2 Ftp Session Example
ZyWALL 10~100 Series Internet Security Gateway 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 283: Backup Configuration Using Tftp
For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyWALL to the computer and “binary” to set binary transfer mode. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-5...
Page 284: Table 22-3 General Commands For Gui-Based Tftp Clients
ZyWALL 10~100 Series Internet Security Gateway 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get”...
Page 285: Figure 22-3 System Maintenance: Backup Configuration
** Backup Configuration completed. OK. ### Hit any key to continue.### Figure 22-6 Successful Backup Confirmation Screen Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Type a location for storing the configuration file or click Browse to look for one.
Page 286: Restore Configuration
ZyWALL 10~100 Series Internet Security Gateway 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Page 287: Figure 22-7 Telnet Into Menu 24.6
Step 8. Enter “quit” to exit the ftp prompt. The ZyWALL will automatically restart after a successful restore process. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-7 Telnet into Menu 24.6 22-9...
Page 288: Figure 22-8 Restore Using Ftp Session Example
The following screen indicates that the Xmodem download has started. Starting XMODEM download (CRC mode) ... CCCCCCCCC Figure 22-10 System Maintenance: Starting Xmodem Download Screen Step 3. Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen.
Page 289: Uploading Firmware And Configuration Files
Restore Configuration section or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port). Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Save to ROM Hit any key to start system reboot.
Page 290: Figure 22-13 Telnet Into Menu 24.7.1: Upload System Firmware
ZyWALL 10~100 Series Internet Security Gateway Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE 22.4.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
Page 291: Figure 22-14 Telnet Into Menu 24.7.2: System Maintenance
(firmware.bin) to the ZyWALL and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer (config.rom) to the ZyWALL and renames it “rom-0”. Likewise “get rom-0 config.rom” Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-13...
Page 292: Figure 22-15 Ftp Session Example Of Firmware File Upload
ZyWALL 10~100 Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt.
Page 293: Tftp Upload Command Example
Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download/upload. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway 22-15...
Page 294: Figure 22-16 Menu 24.7.1 As Seen Using The Console Port
ZyWALL 10~100 Series Internet Security Gateway 22.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Page 295: Figure 22-17 Example Xmodem Upload
- System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-17 Example Xmodem Upload Type the firmware file’s location, or click Browse to look for it.
Page 296: Figure 22-18 Menu 24.7.2 As Seen Using The Console Port
ZyWALL 10~100 Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message.
Page 297: Figure 22-19 Example Xmodem Upload
After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. Firmware and Configuration File Maintenance ZyWALL 10~100 Series Internet Security Gateway Figure 22-19 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it.
Page 299 System Maintenance and Information and Remote Management Part VII: System Maintenance and Information and Remote Management This part provides information on the system maintenance and information functions and how to configure remote management.
Page 301: Chapter 23 System Maintenance & Information
System Maintenance & Information This chapter leads you through SMT menus 24.8 to 24.10. The Real Time Chip (RTC) applies to 23.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 302: Call Control Support
ZyWALL 10~100 Series Internet Security Gateway Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Page 303: Figure 23-4 Budget Management
Enter “0” to update the screen or press [ESC] to return to the previous screen. System Maintenance & Information ZyWALL 10~100 Series Internet Security Gateway Menu 24.9.1 - Budget Management Connection Time/Total Budget...
Page 304: Figure 23-5 Call History
ZyWALL 10~100 Series Internet Security Gateway 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Page 305: Time And Date Setting
Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Figure 23-6 Menu 24: System Maintenance Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.
Page 306: Figure 23-7 Menu 24.10 System Maintenance: Time And Date Setting
Time Zone= GMT+0800 Daylight Saving= No Start Date (mm-dd): End Date (mm_dd): Figure 23-7 Menu 24.10 System Maintenance: Time and Date Setting FIELD Use Time Server Enter the time service protocol that your timeserver sends when you turn on the when Bootup ZyWALL.
Page 307: Resetting The Time
23.3.1 Resetting the Time The ZyWALL resets the time in three instances: On leaving menu 24.10 after making changes. When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance & Information...
Page 309: Chapter 24 Remote Management
ZyWALL 10~100 Series Internet Security Gateway Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 310: Snmp
ZyWALL 10~100 Series Internet Security Gateway 24.3 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Page 311: Figure 24-2 Menu 24.11 - Remote Management Control
Select the access interface (if any) by pressing [SPACE BAR], then [ENTER] to choose from: LAN only, WAN only, ALL or Disable. Remote Management ZyWALL 10~100 Series Internet Security Gateway firewall rule to allow access. Menu 24.11 - Remote Management Control...
Page 312: Remote Management And Nat
ZyWALL 10~100 Series Internet Security Gateway Table 24-1 Menu 24.11 – Remote Management Control FIELD Secured Client The default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
Page 313: System Timeout
ZyWALL 10~100 Series Internet Security Gateway 24.9 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been...
Page 315: Bandwidth Management
Bandwidth Management Part VIII: Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management. VIII...
Page 317: Chapter 25 Bandwidth Management
Use bandwidth classes and child-classes to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or child-class) based on a specific Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway Bandwidth Management management applies to the ZyWALL 100.
Page 318: Proportional Bandwidth Allocation
ZyWALL 10~100 Series Internet Security Gateway application and/or subnet. Use the Class Configuration tab (see section 25.8.3) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure child-classes with filters for any classes that you configure without filters.
Page 319: Figure 25-1 Application-Based Bandwidth Management Example
ZyWALL 10~100 Series Internet Security Gateway Figure 25-1 Application-based Bandwidth Management Example 25.4.2 Subnet-based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 5 Mbps.
Page 320: Scheduler
ZyWALL 10~100 Series Internet Security Gateway Table 25-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE VoIP E-mail Video Figure 25-3 Application and Subnet-based Bandwidth Management Example 25.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
Page 321: Maximize Bandwidth Usage
ZyWALL 10~100 Series Internet Security Gateway 25.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
Page 322: Figure 25-4 Bandwidth Allotment Example
The classes are set up based on subnets. The interface is set to 10 Mbps. Each subnet is allocated 2 Mbps. The unbudgeted 2 Mbps allows traffic not defined in one of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Page 323: Figure 25-5 Maximize Bandwidth Usage Example
The ZyWALL does not send any traffic that is not defined in the bandwidth filters because all of the unbudgeted bandwidth goes to the classes that need it. Figure 25-5 Maximize Bandwidth Usage Example Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway 25-7...
Page 324: Bandwidth Borrowing
ZyWALL 10~100 Series Internet Security Gateway 25.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.
Page 325: Figure 25-6 Bandwidth Borrowing Example
ZyWALL 10~100 Series Internet Security Gateway Figure 25-6 Bandwidth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.
Page 326: Bandwidth Management Setup
ZyWALL 10~100 Series Internet Security Gateway The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
Page 327: Figure 25-7 Bandwidth Manager: Summary
ZyWALL 10~100 Series Internet Security Gateway Bandwidth Manager Summary 25.8.1 Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface in the bandwidth manager’s Summary tab. Click Advanced, BW Manager, and then Summary to open the screen shown next.
Page 328: Table 25-2 Bandwidth Manager: Summary
ZyWALL 10~100 Series Internet Security Gateway Table 25-2 Bandwidth Manager: Summary FIELD These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Not all interfaces are available on every ZyWALL. WLAN...
Page 329: Figure 25-8 Bandwidth Manager: Class Setup
Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its child-classes. You cannot delete the root class. Statistics Click Statistics to display the status of the selected class. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-13...
Page 330: Figure 25-9 Bandwidth Manager: Class Configuration
ZyWALL 10~100 Series Internet Security Gateway 25.8.3 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Configuration screen. You must use the Bandwidth Manager Summary screen to enable bandwidth management on an interface before you can configure classes for that interface.
Page 331 Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Click Apply to save your changes back to the ZyWALL. Click Reset to begin configuring this screen afresh. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-15...
Page 332: Figure 25-10 Bandwidth Management Statistics
ZyWALL 10~100 Series Internet Security Gateway ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol)
Page 333: Table 25-6 Bandwidth Management Statistics
25.8.5 Bandwidth Manager Monitor Use the Bandwidth Manager Monitor screen to view the device’s bandwidth usage and allotments. Click Advanced, BW Manager, and then the Monitor tab to open the following screen. Bandwidth Management ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION 25-17...
Page 334: Figure 25-11 Bandwidth Manager Monitor
ZyWALL 10~100 Series Internet Security Gateway Figure 25-11 Bandwidth Manager Monitor FIELD Select an interface from the drop-down list box to view the bandwidth usage of its Interface bandwidth classes. Class Name This field displays the name of the class.
Page 335 IPPR, Call Scheduling and VPN/IPSec Part IX: IP Policy Routing, Call Scheduling and VPN/IPSec This part provides information on how to configure IP Policy Routing, call scheduling and VPN/IPSec.
Page 337: Chapter 26 Ip Policy Routing
The action is taken only when all the criteria are met. The criteria include the source address and port, IP protocol (ICMP, UDP, TCP, etc.), destination IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway IP Policy Routing Chapter 26 the ZyWALL 100.
Page 338: Figure 26-2 Ip Routing Policy Setup
ZyWALL 10~100 Series Internet Security Gateway address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets.
Page 339: Figure 26-4 Menu 25.1: Sample Ip Routing Policy Setup
Enter Policy Rule Number (1-6) to Configure: Figure 26-4 Menu 25.1: Sample IP Routing Policy Setup ABBREVIATION Criterion Action IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Menu 25.1 - IP Routing Policy Setup Criteria/Action Table 26-1 IP Routing Policy Setup MEANING Source IP Address...
Page 340: Figure 26-5 Ip Routing Policy
ZyWALL 10~100 Series Internet Security Gateway ABBREVIATION Service Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test...
Page 341 Set the new outgoing packet precedence value. Values are 0 to 7 or No Change. Press [SPACE BAR] and then [ENTER] to select Yes to make an entry in the system log when a policy is executed. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Table 26-2 IP Routing Policy DESCRIPTION 26-5...
Page 342: Applying An Ip Policy
ZyWALL 10~100 Series Internet Security Gateway FIELD When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
Page 343: Ip Policy Routing Example
Internet via the WAN port of the ZyWALL, follow the steps as shown next. Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 - IP Routing Policy as shown next. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway 26-7...
Page 344: Figure 26-8 Ip Routing Policy Example
ZyWALL 10~100 Series Internet Security Gateway Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr Type of Service= No Change...
Page 345: Figure 26-9 Ip Routing Policy
Check Menu 25.1 - IP Routing Policy Setup to see if the rule is added correctly. Step 7. Apply both policy sets in menu 3.2 as shown next. IP Policy Routing ZyWALL 10~100 Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Packet length= 10 = Don't Care...
Page 346: Figure 26-10 Applying Ip Policies
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup 26-10 DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
Page 347: Chapter 27 Call Scheduling
3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Menu 26 - Schedule Setup Schedule...
Page 348: Figure 27-2 Schedule Set Setup
ZyWALL 10~100 Series Internet Security Gateway To delete a schedule set, enter the set number and press [SPACE BAR] and then To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 349 Main Menu and then enter the target remote node index. Press [SPACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field available as shown next. Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Table 27-1Schedule Set Setup Fields DESCRIPTION...
Page 350: Figure 27-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 10~100 Series Internet Security Gateway Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Authen= CHAP/PAP Press Space Bar to Toggle. Figure 27-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
Page 351: Figure 27-4 Applying Schedule Set(S) To A Remote Node (Pptp)
Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 27-4 Applying Schedule Set(s) to a Remote Node (PPTP) Call Scheduling ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Route= IP Edit IP= No Telco Option:...
Page 353: Chapter 28 Introduction To Ipsec
Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Introduction to IPSec ZyWALL 10~100 Series Internet Security Gateway Introduction to IPSec This chapter introduces the basics of IPSec VPNs.
Page 354: Figure 28-1 Encryption And Decryption
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Page 355: Ipsec Architecture
ZyWALL 10~100 Series Internet Security Gateway Figure 28-2 VPN Application 28.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 28-3...
Page 356: Figure 28-3 Ipsec Architecture
ZyWALL 10~100 Series Internet Security Gateway Figure 28-3 IPSec Architecture 28.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 357: Ipsec And Nat
AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Introduction to IPSec ZyWALL 10~100 Series Internet Security Gateway 28-5...
Page 358: Table 28-1 Vpn And Nat
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 359: Chapter 29 Vpn/Ipsec Setup
This is an overview of the VPN menu tree. From the main menu, enter 27 to display the first VPN menu (shown next). VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway VPN/IPSec Setup Figure 29-1 VPN SMT Menu Tree Chapter 29 information on IPSec logs.
Page 360: Ipsec Algorithms
29.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence.
Page 361: Ipsec Summary
A tunnel with no outbound or inbound traffic is "idle" and stays connected until the IPSec SA lifetime period expires (see section 29.5). The ZyWALL automatically renegotiates the IPSec SA if there is traffic when the VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-1 AH and ESP Select MD5 for minimal security and SHA-1 for maximum security.
Page 362: Id Type And Content
IPSec SA lifetime period expires. If there is no traffic when the IPSec SA lifetime period expires, the tunnel is dropped and will have to be renegotiated the next time that someone attempts to send traffic, unless you enable keep alive. Keep alive allows you to set the ZyWALL to automatically renegotiate the IPSec SA at the end of the IPSec SA lifetime, even if there is no traffic.
Page 363: Table 29-3 Peer Fields
The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-3 Peer Fields CONTENT= ZYWALL B...
Page 364: My Ip Address
Table 29-5 Mismatching ID Type and Content Configuration Example ZYWALL A Local ID type: IP Local ID content: N/A Local IP address: 1.1.1.1 Peer ID type: E-mail Peer ID content: aa@yahoo.com Peer IP address: 1.1.1.2 29.3.3 My IP Address My IP Addr is the WAN IP address of the ZyWALL. If this field is configured as 0.0.0.0, then the ZyWALL will use the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 365: Figure 29-4 Telecommuter's Zywall Configuration
Gateway IP domain name. Address: Figure 29-4 Telecommuter’s ZyWALL Configuration Figure 29-5 Headquarters ZyWALL Configuration VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway TELECOMMUTER Public static IP address 0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel.
Page 366: Figure 29-6 Menu 27.1: Ipsec Summary
This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active.
Page 367 You need to finish configuring the VPN policy in menu 27.1.1.1 or 27.1.1.2 if ??? is displayed. Key Mgt This field displays the SA’s type of key management, (IKE or Manual). VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION EXAMPLE 192.168.1.35 192.168.1.38...
Page 368 IPSec router with which you are making the VPN connection. This field displays 0.0.0.0 when you configure the Secure Gateway Addr field in SMT 27.1.1 to 0.0.0.0. 29-10 Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION EXAMPLE 172.16.2.40...
Page 369: Ipsec Setup
Select Edit in the Select Command field; type the index number of a rule in the Select Rule field and press [ENTER] to edit the VPN using the menu shown next. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary DESCRIPTION...
Page 370: Figure 29-7 Menu 27.1.1: Ipsec Setup
This is the VPN rule index number you selected in the previous menu. Name Enter a unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed in Menu 27.1 - IPSec Summary. Active Press [SPACE BAR] to choose either Yes or No.
Page 371 Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup DESCRIPTION EXAMPLE 0.0.0.0...
Page 372 FIELD Content This field is N/A when you select IP in the Peer ID Type field (the ZyWALL uses the IP address in the Secure Gateway Addr field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.
Page 373 IPSec router. This field displays N/A when you configure the Secure Gateway Addr field to 0.0.0.0. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup DESCRIPTION EXAMPLE 192.168.1.38 SUBNET 4.4.4.4...
Page 374 FIELD End When the Addr Type field is configured to Single, this field is N/A. When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 375: Ike Setup
Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-key cryptography – see section 29.5.5. Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway 29-17...
Page 376: Negotiation Mode
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic.
Page 377 Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in slightly increased latency and decreased throughput. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway Menu 27.1.1.1 - IKE Setup = ESP = DES...
Page 378: Table 29-9 Menu 27.1.1.1: Ike Setup
FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. ZyWALL DES encryption algorithm uses a 56-bit key.
Page 379: Manual Setup
29.6.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. These parameters have been discussed earlier. Table 29-10 Active Protocol: Encapsulation and Security Protocol MODE Tunnel Transport 29.6.2 Security Parameter Index (SPI) An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol.
Page 380: Table 29-11 Menu 27.1.1.2: Manual Setup
Key3= N/A Authentication Algorithm= MD5 Key= N/A SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 29-10 Menu 27.1.1.2: Manual Setup Table 29-11 Menu 27.1.1.2: Manual Setup DESCRIPTION EXAMPLE ESP Tunnel 1234 89abcde...
Page 381 When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. VPN/IPSec Setup ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE 123456789a...
Page 383: Chapter 30 Sa Monitor
Type 2 in Menu 27 - VPN/IPSec Setup, and then press [ENTER] to go to Menu 27.2 - SA Monitor. -------------------------------- Taiwan : 3.3.3.1 – 3.3.3.3.100 Press ENTER to Confirm or ESC to Cancel: SA Monitor ZyWALL 10~100 Series Internet Security Gateway expires, even if there is no traffic. Menu 27.2 - SA Monitor Name Encap.
Page 384: Table 30-1 Menu 27.2: Sa Monitor
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
Page 385: Troubleshooting
Troubleshooting Part X: Troubleshooting This part provides possible remedies for potential problems.
Page 387: Table 31-1 Troubleshooting The Start-Up Of Your Zywall
Troubleshooting ZyWALL 10~100 Series Internet Security Gateway included disk for further information. DMZ applies to the ZyWALL 100. CORRECTIVE ACTION VT100 terminal emulation 9600 bps is the default speed on leaving the factory. Try other speeds in case the speed has been changed.
Page 388: Problems With The Lan Interface
31.2 Problems with the LAN Interface Table 31-2 Troubleshooting the LAN Interface PROBLEM Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions. from the LAN. Make sure your NIC (Network Interface Card) is installed and functioning properly. Cannot ping Check the 10M/100M LAN LEDs on the front panel.
Page 389: Table 31-4 Troubleshooting The Wan Interface
Check with the manufacturer of your cable/DSL device about your cable requirement Internet. because some devices may require crossover cable and others a regular straight- through cable. Verify your settings in menu 3.2 and menu 4. Troubleshooting ZyWALL 10~100 Series Internet Security Gateway CORRECTIVE ACTION CORRECTIVE ACTION 31-3...
Page 390: Table 31-6 Troubleshooting The Password
31.6 Problems with the Password PROBLEM Cannot The Password field is case sensitive. Make sure that you enter the correct password access the using the proper casing. ZyWALL. Use the Reset button to restore the factory default configuration file. This will restore all of the factory defaults including the password.
Page 391 General Appendices Part XI: General Appendices This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting, safety warnings and how to change a ZyWALL 100 Fuse.
Page 393: Appendix A Setting Up Your Computer's Ip Address
ZyWALL 10~100 Series Internet Security Gateway Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 394 The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Page 395 Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
Page 396 Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 397 Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway Right-click Local Area Connection and then click Properties.
Page 398 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 399 ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 400 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 401 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
Page 402: Macintosh Os X
For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 403 Click Apply Now and close the window. Turn on your ZyWALL and restart your computer (if prompted). Verifying Your Computer’s IP Address Check your TCP/IP properties in the Network window. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
Page 404: Appendix B Triangle Route
The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...
Page 405 The ZyWALL reroutes the packet to Gateway B which is in Subnet 2. Step 3. The reply from WAN goes through the ZyWALL to the computer on the LAN in Subnet 1. Triangle Route ZyWALL 10~100 Series Internet Security Gateway Diagram B-2 “Triangle Route” Problem Diagram B-3 IP Alias...
Page 406: Gateways On The Wan Side
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 407: Appendix C The Big Picture
ZyWALL 10~100 Series Internet Security Gateway Appendix C The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
Page 408: Benefits Of A Wireless Lan
A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 409 ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
Page 410 ZyWALL 10~100 Series Internet Security Gateway Diagram D-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Page 411 ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 412: Appendix E Wireless Lan With Ieee 802.1X
ZyWALL 10~100 Series Internet Security Gateway Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 413 The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Diagram E-1 Sequences for EAP MD5–Challenge Authentication Wireless LAN with IEEE 802.1x ZyWALL 10~100 Series Internet Security Gateway RADIUS Server Authentication Sequence Client computer access authorized.
Page 415: Appendix F Pppoe
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial-up networking. Diagram F-1 Single-PC per Modem Hardware Configuration PPPoE ZyWALL 10~100 Series Internet Security Gateway Appendix F PPPoE...
Page 416: How Pppoe Works
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 417: Appendix G Pptp
ZyWALL 10~100 Series Internet Security Gateway Appendix G PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband...
Page 418 ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 419 ZyWALL 10~100 Series Internet Security Gateway Diagram G-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 420: Appendix H Hardware Specifications
16 Watts maximum 1.9 Amps 0.5 Amps, 250 VAC 100000 hrs (Mean Time Between Failures) 0º C ~ 40º C 10/100Mbps Half / Full Auto-negotiation 10Mbps Half / Full Auto-negotiation 10/100Mbps Half / Full Auto-negotiation 10/100Mbps Half / Full Auto-negotiation Appendix H...
Page 421: Cable Pin Assignments
CON/AUX port’s pin assignments. Products without flow control only use pins 2,3 and 5. Hardware Specifications ZyWALL 10~100 Series Internet Security Gateway Pin 1 Pin 6 DIAL BACKUP RS – 232 (Male) DB-9M (Not on all...
Page 422 Straight-Through (Switch) IRD + IRD - OTD + OTD - Power Adaptor Specifications (ZyWALL 10/10W/50) Chart H-4 North American AC Power Adaptor Specifications AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90)
Page 423 Safety standards: TUV, CE (EN 60950, BS7002) Chart H-7 Japan AC Power Adaptor Specifications AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Japan standards Safety standards: T-Mark Hardware Specifications ZyWALL 10~100 Series Internet Security Gateway...
Page 424 ZyWALL 10~100 Series Internet Security Gateway Chart H-8 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Australia and New Zealand standards Safety standards: NATA (AS 3260)
Page 425: Universal Plug And Play
Windows Messenger is an example of an application that supports NAT Traversal and UPnP. See the Network Address Translation (NAT) chapter in your User's Guide for further information about NAT. UPnP ZyWALL 10~100 Series Internet Security Gateway Universal Plug and Play Appendix I...
Page 426 ZyWALL 10~100 Series Internet Security Gateway Are there any cautions about UPnP? The automated nature of NAT Traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Page 427: Installing Upnp In Windows Me
This section shows how to install UPnP in Windows Me and Windows XP. Follow the steps below to install the UPnP in Windows Me. UPnP ZyWALL 10~100 Series Internet Security Gateway Chart I-1 UPnP DESCRIPTION Installing UPnP in Windows Me...
Page 428: Installing Upnp In Windows Xp
Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4.
Page 429: Using Upnp In Windows Xp Example
Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device. Auto-discover Your UPnP-enabled Network Device UPnP ZyWALL 10~100 Series Internet Security Gateway...
Page 430 Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Step 4.
Page 431: Web Configurator Easy Access
ZyXEL device first. This comes helpful if you do not know the IP address of the ZyXEL device. Follow the steps below to access the web configurator. UPnP ZyWALL 10~100 Series Internet Security Gateway mappings will be deleted automatically.
Page 432 Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke.
Page 433 Step 6. Right-click on the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. UPnP ZyWALL 10~100 Series Internet Security Gateway...
Page 434: Appendix J Ip Subnetting
ZyWALL 10~100 Series Internet Security Gateway IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 435: Subnet Masks
0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
Page 436 With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 437 IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 IP Subnetting ZyWALL 10~100 Series Internet Security Gateway subnet. Chart J-5 Subnet 1 NETWORK NUMBER 192.168.1.
Page 438 Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving -2 or 62 hosts for each subnet (all 0’s is the subnet itself, all 1’s is the broadcast address on the subnet).
Page 439: Example Eight Subnets
The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C” subnet planning. IP Subnetting ZyWALL 10~100 Series Internet Security Gateway Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 Chart J-10 Subnet 4 NETWORK NUMBER 192.168.1.
Page 440: Subnetting With Class A And Class B Networks
NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
Page 441 NO. “BORROWED” HOST BITS IP Subnetting ZyWALL 10~100 Series Internet Security Gateway Chart J-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET...
Page 442: Appendix K Safety Warnings And Instructions
Refer all servicing to qualified service personnel. 10. Generally, when installed after the final configuration, the product must comply with the applicable safety standards and regulatory requirements of the country in which it is installed. If necessary, consult the appropriate regulatory agencies and inspection authorities to ensure compliance.
Page 443 Firmly, but gently, push the fuse housing back into the ZYWALL 100 until you hear a click. Step 4. Plug the power cord back into the unit. Removing and Installing a ZyWALL 100 Fuse ZyWALL 10~100 Series Internet Security Gateway Appendix L Fuse...
Page 445 Command and Log Appendices Part XII: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands and logs and password protection.
Page 447: Command Interpreter
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Command Interpreter ZyWALL 10~100 Series Internet Security Gateway Command Interpreter possibly render it unusable.
Page 448: Appendix N Firewall Commands
The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
Page 449 <0-23> config edit firewall e-mail minute <0-59> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command shows all of the e-mail settings. This command shows all of the available firewall sub commands.
Page 450: Firewall Commands
FUNCTION config edit firewall attack send- alert <yes | no> config edit firewall attack block <yes | no> config edit firewall attack block- minute <0-255> config edit firewall attack minute- high <0-255> config edit firewall attack minute- low <0-255> config edit firewall attack max- incomplete-high <0-255>...
Page 451 <yes | no> Config edit firewall set <set #> rule <rule #> permit <forward | block> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command sets a name to identify a specified set.
Page 452 FUNCTION Config edit firewall set <set #> rule <rule #> active <yes | no> Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > Config edit firewall set <set #> rule <rule #> log <none | match | not-match | both>...
Page 453 <set #> rule <rule #> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands COMMAND This command sets a rule to have the ZyWALL check for traffic going to this range of addresses.
Page 454 ZyWALL 10~100 Series Internet Security Gateway Firewall Commands...
Page 455: Netbios Filter Commands
Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp NetBIOS Filter Commands ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands Appendix O...
Page 456 This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== Diagram O-1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that has DMZ.
Page 457: Netbios Filter Configuration
3 = WAN to DMZ 4 = DMZ to LAN 5 = DMZ to WAN 6 = IPSec packet pass through 7 = Trigger Dial NetBIOS Filter Commands ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION EXAMPLE Forward Forward Forward Forward...
Page 458 <on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
Page 459: Boot Commands
Most other commands aid in advanced troubleshooting and should only be used by qualified engineers. Boot Commands ZyWALL 10~100 Series Internet Security Gateway 16384K OK ATSE displays the seed that is used to generate a password to turn on the...
Page 460 just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
Page 461: Appendix Q Log Descriptions
WEB Login Fail TELNET Login Successfully Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-1 System Error Logs This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 462 TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP Chart Q-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
Page 463 - WAN ICMP (type:%d, code:%d) icmp echo ICMP (type:%d, code:%d) Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-5 Attack Logs DESCRIPTION The firewall detected an IGMP attack. The firewall detected an ESP attack. The firewall detected a GRE attack.
Page 464 LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...
Page 465 ICMP (set:%d, rule:%d, type:%d, code:%d) Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s configuration.
Page 466 LOG MESSAGE Firewall rule match: IGMP (set:%d, rule:%d) Firewall rule match: ESP (set:%d, rule:%d) Firewall rule match: GRE (set:%d, rule:%d) Firewall rule match: OSPF (set:%d, rule:%d) Firewall rule match: (set:%d, rule:%d) Firewall rule NOT match: TCP (set:%d, rule:%d) Firewall rule NOT match: UDP (set:%d, rule:%d) Firewall rule NOT...
Page 467 Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION OSPF access did not match the listed firewall rule and the ZyWALL logged it. Access did not match the listed firewall rule and the ZyWALL logged TCP access matched a default filter policy and the ZyWALL dropped the packet to block access.
Page 468 LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...
Page 469 LAN to LAN/ZyWALL WAN to WAN/ZyWALL Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs DESCRIPTION The firewall sent out TCP reset packets. The router blocked a packet that did not have a corresponding NAT table entry.
Page 470 ZyWALL 10~100 Series Internet Security Gateway ACL SET DIRECTION NUMBER DMZ to DMZ/ZyWALL TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't...
Page 471 To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Log Descriptions ZyWALL 10~100 Series Internet Security Gateway Chart Q-8 ICMP Notes DESCRIPTION...
Page 472: Log Descriptions
The following figure shows a typical log from the VPN connection peer. Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:08:07 01 Jan 08:08:07 01 Jan 08:08:08 01 Jan 08:08:08 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10...
Page 473 The following table shows sample log messages during IKE key exchange. Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol> Mode request from <IP>...
Page 474 Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch...
Page 475 Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info Both ends of the VPN tunnel must use the same pre-shared key. You will receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is The following table shows sample log messages during packet transmission.
Page 476 Chart Q-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE Rule <#d> idle time out, disconnect The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart Q-12 RFC-2408 ISAKMP Payload Types PROP TRANS CER_REQ...
Page 477: Log Commands
Use the sys logs display command to show all of the logs in the ZyWALL’s log. Use the sys logs category display command to show the log settings for all of the log categories. Log Descriptions ZyWALL 10~100 Series Internet Security Gateway 0, 1, 2, 3 0, 1, 2, 3...
Page 478: Log Command Example
3 ras> sys logs save ras> sys logs display access .time notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1...
Page 479 0 sys pwderrtm N Example sys pwderrtm 5 Brute-Force Password Guessing Protection ZyWALL 10~100 Series Internet Security Gateway DESCRIPTION This command displays the brute-force guessing password protection settings. This command turns off the password’s protection from brute-force guessing.
Page 481 Index Part XIII: Index This part provides an Index of key terms. XIII...
Page 483 10/100 Mbps Ethernet WAN ... 1-3 Access Point... 6-12 Action for Matched Packets ... 16-13 Active...5-7, 5-10, 10-2 Ad-hoc Configuration ... 17 Allocated Budget ...5-8, 10-5 Alternative Subnet Mask Notation... 44 Application-level Firewalls... 13-1 Applications ... 1-7 AT command ...5-3, 5-5, 22-2 Attack Alert...15-2, 15-4, 15-5...
Page 484 Call History... 23-4 Call Scheduling... 1-5, 27-1 maximum number of schedule sets... 27-1 PPPoE ... 27-3 Precedence ... 27-1 Call-Trigerring Packet ... 21-10 CDR... 21-7 Changing the Password... 3-7 Channel ID... 6-13 CHAP ... 5-8, 10-5 Class Name ... 25-14 Classes of IP Addresses ...42...
Page 485 DMZ 10M LED ... 2-2 DMZ Port Connections ... 2-6 DMZ Setup... 8-1 DNS ...4-1, 6-2, 24-2 Index ZyWALL 10~100 Series Internet Security Gateway Primary Server ... 6-7 Secondary Server ... 6-7 Server Address... 6-2 Domain Name... 4-1, 12-15, 21-4 Basics...
Page 486 ESS ... See Extended Service Set ESS ID ... 6-10 ESSID ... 6-12 Ethernet Cable Pin Assignments...30 Ethernet Encapsulation 5-4, 9-1, 10-2, 10-6, 10-7, 10-11, 12-14 Ethernet Specification for DMZ ...28 Ethernet Specification for WAN...28 Extended Service Set ...18 Extended Service Set IDentification... 6-12 Factory Default ...
Page 487 Gateway IP Addr... 10-7 Gateway IP Address...9-2, 11-3 General Setup... 4-1 General Specifications ... 28 Global... 12-1 Index ZyWALL 10~100 Series Internet Security Gateway Half-Open Sessions ... 15-3 Hardware Installation... 2-1 Hardware Requirements ... 2-8 Hidden Menus... 3-2 Hidden Node problem... 6-10 Host...
Page 488 Internet Assigned Numbers Authority .. See IANA Internet Control Message Protocol (ICMP) ... 13-6 Internet Security Gateway ... 1-1 IP address... 5-8, 5-11 IP Address... 6-3, 6-7, 6-9, 9-2, 10-7, 26-3 Remote... 5-11, 10-9 IP Address Assignment... 10-7, 10-9 IP Address Assignment... 9-2 IP Addressing ...42...
Page 489 Maximum Incomplete Low ... 15-6 Max-incomplete High ... 15-3 Max-incomplete Low... 15-3, 15-6 Mean Time Between Failures ...28 Metric... 5-6, 5-12, 10-5, 10-8, 10-10, 11-3 MSDU... 6-13 MTBF ... See Mean Time Between Failures Multicast ...5-12, 6-8, 10-8, 10-10 My IP Addr... 10-6 My Login ...
Page 490 Power Consumption ... 28 Power Current... 28 Power Specification... 28 PPP ...5-9 PPP log ...21-8 PPPoE... 1-5, 9-4 PPPoE Encapsulation ...9-1, 9-4, 9-5, 10-2, 10-3, 10-5, 10-11, 10-12 PPTP...9-2, 25 Client ...9-3 Configuring a Client ...9-3 PPTP Encapsulation ... 1-5, 9-2, 10-5...
Page 491 Precedence ... 26-2, 26-5 Priority ... 25-15 Priority-based Scheduler ... 25-5 Private ...5-12, 6-3, 6-4, 10-8, 10-10, 11-4 Private IP Addresses ... 6-3 Proportional Bandwidth Allocation ... 25-2 Protocol Filters... 6-9 Incoming ... 6-9 Outgoing ... 6-9 Public Servers ... 8-1 PWR LED ...
Page 492 Source-Based Routing ...26-1 Stateful Inspection ...1-4, 13-1, 13-2, 13-7, 13-8 Process...13-8 ZyWALL ...13-9 Straight-through Cable ...2-7 SUA (Single User Account) ... See NAT SUA Only... See NAT Sub-class Layers...25-12 Subnet Mask 5-11, 6-3, 6-7, 9-2, 10-7, 10-9, 11-3, 16-15 Index...
Page 493 System Status ... 21-1 System Timeout ... 24-5 TCP Maximum Incomplete...15-4, 15-6, 15-7 TCP Security... 13-10 TCP/IP 5-11, 6-2, 6-5, 6-7, 8-2, 10-7, 10-11, 13-3, 13-4, 19-6, 19-7, 19-9, 19-12, 19-16, 24-1 Setup ... 6-7 TCP/IP and DHCP Setup ... 6-6 TCP/IP filter rule...
Page 494 Wireless LAN Setup...6-11 Wireless Modem...2-6 WLAN... See Wireless LAN WLAN LED ...2-2 www.dyndns.org ... 4-1, 4-4 xDSL Modem ... 1-7, 2-6, 2-8, 10-4, 3 Xmodem File Upload ...22-17 XMODEM Protocol ...22-2 XMODEM upload...3-8 ZyNOS ... 5-1, 21-3, 21-4, 22-2 Index...
Page 495 ZyWALL 10~100 Series Internet Security Gateway ZyNOS F/W Version ...21-3, 21-4, 22-2 ZyXEL’s Firewall ZyWALL Firewall Application... 13-3 Introduction ... 13-2 ZyWALL Web Configurator... 15-1 Index...

This manual is also suitable for:

Zywall 10 Zywall 10w Zywall 50 Zywall 100

ZyXEL Communications 10 User Manual

Chapter 31 Troubleshooting

Chapter 1 Getting to Know Your Zywall

Chapter 2 Hardware Installation

Chapter 3 Initial Setup

Chapter 4 SMT Menu 1 - General Setup

Chapter 8 DMZ Setup

Chapter 9 Internet Access

Chapter 10 Remote Node Setup

Chapter 11 IP Static Route Setup

Chapter 12 Network Address Translation (NAT)

Chapter 13 Firewalls

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications 10

Summary of Contents for ZyXEL Communications 10