ZyXEL Communications Internet Security Gateway 10~100 Series Reference Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. Internet Security Gateway 10~100 Series
  6. Reference manual
ZyXEL Communications Internet Security Gateway 10~100 Series Reference Manual

ZyXEL Communications Internet Security Gateway 10~100 Series Reference Manual

Internet security gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ZyWALL 10~100 Series
Internet Security Gateway
Reference Guide
Versions 3.52, 3.60 and 3.61
March 2003

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications Internet Security Gateway 10~100 Series

Summary of Contents for ZyXEL Communications Internet Security Gateway 10~100 Series

  • Page 1 ZyWALL 10~100 Series Internet Security Gateway Reference Guide Versions 3.52, 3.60 and 3.61 March 2003...

  • Page 2: Copyright

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
  • Page 3 ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.

  • Page 4: Information For Canadian Users

    ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.

  • Page 5: Zyxel Limited Warranty

    ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...

  • Page 6: Customer Support

    +45-3955-0700 www.zyxel.dk +45-3955-0707 ftp.zyxel.dk +49-2405-6909-0 www.zyxel.de +49-2405-6909-99 REGULAR MAIL ZyXEL Communications Corp., 6 Innovation Road II, Science- Based Industrial Park, Hsinchu 300, Taiwan ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A. ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark ZyXEL Deutschland GmbH.

  • Page 7: Table Of Contents

    Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Diagrams...ix List of Charts ...x Preface ...xii General Information ... I Chapter 1 Setting up Your Computer’s IP Address ... 1-1 Chapter 2 Triangle Route...
  • Page 8 ZyWALL 10~100 Series Internet Security Gateway Index ... A viii Table of Contents...

  • Page 9: List Of Diagrams

    ZyWALL 10~100 Series Internet Security Gateway List of Diagrams Diagram 2-1 Ideal Setup ... 2-1 Diagram 2-2 “Triangle Route” Problem ... 2-2 Diagram 2-3 IP Alias... 2-2 Diagram 2-4 Gateways on the WAN Side... 2-3 Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT ... 3-1 Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network...

  • Page 10: List Of Charts

    ZyWALL 10~100 Series Internet Security Gateway List of Charts Chart 8-1 Classes of IP Addresses ...8-1 Chart 8-2 Allowed IP Address Range By Class ...8-2 Chart 8-3 “Natural” Masks ...8-2 Chart 8-4 Alternative Subnet Mask Notation...8-3 Chart 8-5 Subnet 1 ...8-4 Chart 8-6 Subnet 2 ...8-4 Chart 8-7 Subnet 1 ...8-5 Chart 8-8 Subnet 2 ...8-5...
  • Page 11 ZyWALL 10~100 Series Internet Security Gateway Chart 13-11 Sample IPSec Logs During Packet Transmission ... 13-15 Chart 13-12 RFC-2408 ISAKMP Payload Types... 13-16 Chart 13-13 Log Categories and Available Settings... 13-17 Chart 14-1 Brute-Force Password Guessing Protection Commands... 14-1 List of Charts...

  • Page 12: Preface

    About Your ZyWALL Congratulations on your purchase of the ZyWALL Security Gateway. About This User's Manual This manual is designed to provide background information on some of the ZyWALL’s features. It also includes commands for use with the command interpreter. This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL.

  • Page 13: Syntax Conventions

    Syntax Conventions • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. •...

  • Page 15: General Information

    General Information Part I: General Information This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting.

  • Page 17: Chapter 1 Setting Up Your Computer's Ip Address

    ZyWALL 10~100 Series Internet Security Gateway Chapter 1 Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
  • Page 18 The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
  • Page 19 Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
  • Page 20 Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
  • Page 21 For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway Right-click Local Area Connection and then click Properties.
  • Page 22 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
  • Page 23 ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
  • Page 24 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
  • Page 25 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...

  • Page 26: Macintosh Os X

    For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
  • Page 27 Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.

  • Page 29: Chapter 2 Triangle Route

    The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...

  • Page 30: Diagram 2-2 "Triangle Route" Problem

    The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.

  • Page 31: Diagram 2-4 Gateways On The Wan Side

    ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.

  • Page 33: Chapter 3 The Big Picture

    ZyWALL 10~100 Series Internet Security Gateway Chapter 3 The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
  • Page 34 ZyWALL 10~100 Series Internet Security Gateway The Big Picture...

  • Page 35: Chapter 4 Wireless Lan And Ieee 802.11

    Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
  • Page 36 ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.

  • Page 37: Diagram 4-1 Peer-To-Peer Communication In An Ad-Hoc Network

    ZyWALL 10~100 Series Internet Security Gateway Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

  • Page 38: Diagram 4-2 Ess Provides Campus-Wide Coverage

    ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram 4-2 ESS Provides Campus-Wide Coverage The Big Picture...

  • Page 39: Chapter 5 Wireless Lan With Ieee 802.1X

    ZyWALL 10~100 Series Internet Security Gateway Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.

  • Page 40: Diagram 5-1 Sequences For Eap Md5-Challenge Authentication

    ZyWALL 10~100 Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.

  • Page 41: Chapter 6 Pppoe

    PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.

  • Page 42: Diagram 6-2 Zywall As A Pppoe Client

    ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.

  • Page 43: Chapter 7 Pptp

    ZyWALL 10~100 Series Internet Security Gateway Chapter 7 PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.

  • Page 44: Diagram 7-2 Pptp Protocol Overview

    ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.

  • Page 45: Diagram 7-3 Example Message Exchange Between Pc And An Ant

    ZyWALL 10~100 Series Internet Security Gateway Diagram 7-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...

  • Page 47: Chapter 8 Ip Subnetting

    IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.

  • Page 48: Subnet Masks

    ZyWALL 10~100 Series Internet Security Gateway A class “B” address (16 host bits) can have 2 A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
  • Page 49 With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
  • Page 50 The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
  • Page 51 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.

  • Page 52: Example Eight Subnets

    Subnet Address: 192.168.1.128 Broadcast Address: 192.168.1.191 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C”...

  • Page 53: Subnetting With Class A And Class B Networks

    NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
  • Page 54 NO. “BORROWED” HOST BITS Chart 8-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET 1024 2048 4096 8192 16384 32768 IP Subnetting...

  • Page 55: Command And Log Information

    Command and Log Information Part II: Command and Log Information This part provides information on the command interpreter interface, firewall and NetBIOS commands and logs and password protection.

  • Page 57: Chapter 9 Command Interpreter

    The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and Command Syntax The command keywords are in courier new font.

  • Page 59: Chapter 10 Firewall Commands

    The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
  • Page 60 FUNCTION config display firewall attack config display firewall e-mail config display firewall ? config edit firewall e-mail mail-server <ip address of mail server> config edit firewall e-mail return-addr <e-mail address> config edit firewall e-mail email-to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly>...
  • Page 61 FUNCTION config edit firewall e-mail hour <0-23> config edit firewall e-mail minute <0-59> config edit firewall attack send-alert <yes | no> config edit firewall attack block <yes | no> config edit firewall attack block-minute <0-255> config edit firewall attack minute-high <0-255> Firewall Commands ZyWALL 10~100 Series Internet Security Gateway Chart 10-1 Firewall Commands...
  • Page 62 FUNCTION config edit firewall attack minute-low <0-255> config edit firewall attack max-incomplete-high <0-255> config edit firewall attack max-incomplete-low <0-255> config edit firewall attack tcp-max-incomplete <0-255> config edit firewall set <set #> name <desired name> Config edit firewall set <set #> default-permit <forward | block>...
  • Page 63 FUNCTION Config edit firewall set <set #> connection-timeout <seconds> Config edit firewall set <set #> fin-wait-timeout <seconds> Config edit firewall set <set #> tcp-idle-timeout <seconds> Config edit firewall set <set #> log <yes | no> Config edit firewall set <set #>...
  • Page 64 FUNCTION Config edit firewall set <set #> rule <rule #> alert <yes | no> config edit firewall set <set #> rule <rule #> srcaddr-single <ip address> config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> config edit firewall set <set #>...
  • Page 65 FUNCTION config edit firewall set <set #> rule <rule #> TCP destport- single <port #> config edit firewall set <set #> rule <rule #> TCP destport- range <start port #> <end port #> config edit firewall set <set #> rule <rule #> UDP destport- single <port #>...
  • Page 66 FUNCTION config delete firewall set <set #> rule <rule #> 10-8 Chart 10-1 Firewall Commands COMMAND DESCRIPTION This command removes the specified rule in a firewall configuration set. Firewall Commands...

  • Page 67: Chapter 11 Netbios Filter Commands

    The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.

  • Page 68: Diagram 11-1 Netbios Display Filter Settings Command Without Dmz Example

    This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== Diagram 11-1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that has DMZ.

  • Page 69: Netbios Filter Configuration

    Chart 11-1 NetBIOS Filter Default Settings NAME WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the DMZ. DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the LAN. DMZ to WAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the WAN.
  • Page 70 <on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.

  • Page 71: Chapter 12 Boot Commands

    The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATLC firmware) and...

  • Page 72: Diagram 12-2 Boot Module Commands

    just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...

  • Page 73: Chapter 13 Log Descriptions

    LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login Successfully SMT Login Fail WEB Login Successfully WEB Login Fail TELNET Login Successfully...

  • Page 74: Chart 13-3 Upnp Logs

    TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP 13-2 Chart 13-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
  • Page 75 LOG MESSAGE attack IGMP attack ESP attack GRE attack OSPF attack ICMP (type:%d, code:%d) land TCP land UDP land IGMP land ESP land GRE land OSPF land ICMP (type:%d, code:%d) ip spoofing - WAN TCP ip spoofing - WAN UDP ip spoofing - WAN IGMP ip spoofing - WAN ESP...
  • Page 76 LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...

  • Page 77: Chart 13-6 Access Logs

    LOG MESSAGE Firewall default policy: TCP (set:%d) Firewall default policy: UDP (set:%d) Firewall default policy: ICMP (set:%d, type:%d, code:%d) Firewall default policy: IGMP (set:%d) Firewall default policy: ESP (set:%d) Firewall default policy: GRE (set:%d) Firewall default policy: OSPF (set:%d) Firewall default policy: (set:%d) Firewall rule match: TCP (set:%d, rule:%d)
  • Page 78 LOG MESSAGE Firewall rule match: IGMP (set:%d, rule:%d) Firewall rule match: ESP (set:%d, rule:%d) Firewall rule match: GRE (set:%d, rule:%d) Firewall rule match: OSPF (set:%d, rule:%d) Firewall rule match: (set:%d, rule:%d) Firewall rule NOT match: TCP (set:%d, rule:%d) Firewall rule NOT match: UDP (set:%d, rule:%d) Firewall rule NOT...
  • Page 79 LOG MESSAGE Firewall rule NOT match: OSPF (set:%d, rule:%d) Firewall rule NOT match: (set:%d, rule:%d) Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy FORWARD! Filter default policy FORWARD! Filter default policy FORWARD!
  • Page 80 LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...

  • Page 81: Chart 13-7 Acl Setting Notes

    LOG MESSAGE Firewall sent TCP reset packets Packet without a NAT table entry blocked Out of order TCP handshake packet blocked Drop unsupported/out- of-order ICMP Router sent ICMP response packet (type:%d, code:%d) ACL SET DIRECTION NUMBER LAN to WAN WAN to LAN DMZ to LAN DMZ to WAN WAN to DMZ...

  • Page 82: Chart 13-8 Icmp Notes

    ZyWALL 10~100 Series Internet Security Gateway ACL SET DIRECTION NUMBER DMZ to DMZ/ZyWALL TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench...

  • Page 83: Chart 13-9 Sys Log

    TYPE CODE Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message LOG MESSAGE Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"...

  • Page 84: Diagram 13-1 Example Vpn Initiator Ipsec Log

    Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Diagram 13-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer.

  • Page 85: Chart 13-10 Sample Ike Key Exchange Logs

    The following table shows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol> Mode request from <IP>...
  • Page 86 Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type found...

  • Page 87: Chart 13-11 Sample Ipsec Logs During Packet Transmission

    Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info The following table shows sample log messages during packet transmission. Chart 13-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find IPSec SA !! Cannot find outbound SA for rule <%d>...

  • Page 88: Chart 13-12 Rfc-2408 Isakmp Payload Types

    The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Payload Types PROP TRANS CER_REQ HASH NONCE NOTFY 13-16 LOG DISPLAY PAYLOAD TYPE Security Association Proposal Transform...

  • Page 89: Chart 13-13 Log Categories And Available Settings

    Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.

  • Page 90: Log Command Example

    Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras>...

  • Page 91: Chart 14-1 Brute-Force Password Guessing Protection Commands

    Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart 14-1 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0...
  • Page 93 Index Part III: Index This part provides an Index of key terms.
  • Page 95 Ad-hoc Configuration ... 4-2 Alternative Subnet Mask Notation... 8-3 Basic Service Set... 4-2 Big Picture ... 3-1 Bold Times font ...See Syntax Conventions Boot commands ... 12-1 Broadband Access Security Gateway ... xii BSS ... See Basic Service Set Canada ... iv Caution...
  • Page 96 Infrastructure Configuration ... 4-3 IP Addressing ... 8-1 IP Classes... 8-1 Log Descriptions... 13-1 Network Topology With RADIUS Server Example ... 5-2 Notice... iii Online Registration...v Packing List Card ...xii PPTP ... 7-1 Read Me First ...xii Related Documentation...xii Repairs ...v Replacement ...v Return Material Authorization Number...v RF signals ...

This manual is also suitable for:

10 series100 series

Table of Contents