Page 1 ZyWALL 1050 Support Notes ZyWALL 1050 Internet Security Appliance Support Notes Revision 2.01 August. 2006 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 2: Table Of Contents
1.4.2 Star Topology ....................55 1.4.3 Star-Mesh Mixed Topology................64 1.5 Access via Central Site....................81 1.5.1 VPN Tunnel to Central Site (ZyWALL 70 to ZyWALL 1050)......81 1.6 Multiple Entry Point (MEP)................... 93 1.6.1 Deploying MEP....................93 1.7 Device High Availability ..................... 132 1.7.1 Device HA......................
Page 3 A03. What’s difference between “Admin Service Control” and “User Service Control” configuration in GUI menu Configuration > System > WWW? ....270 A04. Why ZyWALL 1050 redirects me to the login page when I am performing the management tasks in GUI? ..................270 A05.
Page 4 F04. What’s the routing order of policy route, dynamic route, static route and direct connect subnet table? ....................280 F05. Why can’t ZyWALL 1050 ping to the Internet host, but PC from LAN side can browse internet WWW? ..................... 280 F06.
Page 5 GUI redirected to login page after I click a button/link? ........... 294 M05. What is AAA?....................295 M05. What are ldap-users and radius-users used for? ..........295 M06. What privileges will be given for ldap-users and radius-users? ....... 295 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 6 O02. Why isn't the statistic data of "Report" exact? ..........298 O03. Does Report collect the traffic from/to ZyWALL itself? ........298 O04. Why cannot I see the connections from/to ZyWALL itself?......298 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 7: Deploying Vpn
Typically, an administrator has to configure many site-to-site VPN connections to allow a truly global VPN network. VPN connection management is made easily using the VPN concentrator. The VPN All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 8 VPN network with less effort but stronger security and management possibilities. For SMB customer, ZyXEL provides a total VPN solution from a personal client to a 500+ people firewall where all of these devices have the VPN connection ability.
Page 9: Extended Intranets
There are two kinds of connection interface, static IP and dynamic DNS. Configure ZyWALL 1050 with Static IP address: ZyWALL 1050 uses the static IP address for VPN connection. The topology is shown at the following figure. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 10 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and 167.35.4.3. 3) Repeat the step1 & 2 to configure the Remote ZyWALL 1050. The Local ID Type & content and Peer ID Type & content are reverse to the Local ZyWALL 1050.
Page 11 ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 > Configuration > Policy > Route > Policy Route and add a new policy route. The source and the destination addresses are the local and remote subnets.
Page 12 [8] peer-ip 167.35.4.3 0.0.0.0 [9] authentication pre-share [10] keystring 123456789 [11] local-id type ip 210.110.7.1 [12] peer-id type ip 167.35.4.3 [13] peer-id type ip 167.35.4.3 [14] xauth type server default deactivate [15] group1 [16] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 13 3. Select the correct interface for VPN connection. 4. The Local and Peer ID type and content must the opposite and contain the same. 5. Make sure the VPN policy route has been configured in ZyWALL1050. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 14: Extranet Deployment
Desktop users Check Point VPN-1 The ZyWALL 1050 can be placed as a VPN gateway in the central site. It can communicate with other ZyXEL’s VPN-capable products as well as VPN products from other major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro,...
Page 15: Site To Site Vpn Solutions (Zywall1050 To Zywall70)
The exciting ZyWALL35 or 70 in central office gateway can be replaced by ZyWALL 1050, and the ZyWALL35 or 70 moved to a remote office. The ZyWALL 1050 can provide higher VPN throughput and deal with multiple VPN tunnels at the same time. To show how to build tunnel between ZyWALL5/35/70 and ZyWALL 1050 we used ZyWALL 70 as an example.
Page 16 3) Login to ZyWALL70 and go to Security > VPN > Gateway Policy, add a new gateway policy to connect with central office’s ZyWALL 1050. My Address and Remote Gateway Address are ZyWALL70 and ZyWALL 1050 WAN IP addresses. The Pre-Shared Key configured on both sides must exactly the same Local ID Type &...
Page 17 Route > Policy Route and add a new policy route, the source and destination address are the local and remote subnet and the Next-Hop type is a VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 18 9) After configuring both sides of the VPN, click the Dial up VPN tunnel icon to test the VPN connectivity. 10) “VPN tunnel establishment successful,” message appears. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 19 [13] xauth type server default deactivate [14] group1 [15] exit ZyWALL 1050 VPN Connection: [0] crypto map RemoteTunnel [1] ipsec-isakmp LocalSite [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 20 4. The Local and Peer ID type and content must be the opposite and not of the same content. 5. Make sure the VPN policy route had been setup in ZyWALL 1050. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 21: Interoperability - Vpn With Other Vendors
LAN: 192.168.2.X The central office gateway ZyWALL 1050’s interface and VPN setting retain the same setting as in the previous example. If you jumped this section first, please refer to ‘ZyWALL 1050 to ZYWALL70 VPN tunnel setting’ on page 8.
Page 22 4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares key and proposal are the same as in the ZyWALL1050. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 23 Advanced… button to edit the phase 2 proposal and source and destination address. Please make sure the phase 2 proposal is the same as in ZyWALL 1050 phase 2. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 24 Using the “Create New” button to create a new address object. 9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the VPN traffic from FortiGate to ZyWALL. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 25 Schedule and service type are always and ANY to ensure that all kinds of traffic can pass through the VPN tunnel at any time. Select “ACCEPT” as an action this time All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 26 2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways. 3. Make sure the VPN policy route has been configured in ZyWALL1050. 4. Make sure the Firewall rule has been configured in FortiGate. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 27: Zywall With Netscreen Vpn Tunneling
ZyWALL 1050 Support Notes 1.2.2.2 ZyWALL with NetScreen VPN Tunneling This section guides how to setup a VPN connection between the ZyWALL 1050 and NetScreen 5GT. As on the figure below, the tunnel between Central and Remote offices ensures the packet flows between them are secure.
Page 28 VPN traffic routing. Refer to the pervious scenario or user guide to find help on setting the ZyWALL 1050 VPN. 2) Using a web browser, login NetScreen by entering the LAN IP address of the NetScreen in the URL field.
Page 29 ZyWALL's WAN IP address. In this example, we select Static IP Address option and enter IP 210.110.7.1 in the text box. Enter the key string 123456789 in Preshared Key text box, and then press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 30 Key, group1, DES for Encryption Algorithm and MD5 for Authentication Algorithm. Select Main (ID Protection) option for Mode (Initiator). Then, press Return button, and press OK button on next page to save your settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 31 10) Give a name for the VPN, for example “ToZyWALL IPSec”. In Remote Gateway, choose the Predefined option and select the ToZyWALL rule. Then, press Advanced button to edit the advanced settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 32 Encryption Algorithm to DES and Authentication Algorithm to SHA1. Check the VPN Monitor check box so that you can monitor your VPN tunnels. Then, press Return button and OK button on next page to save the settings. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 33 13) Switch to Policies to set up policy rules for VPN traffic. In the field From choose Trust and in the field To choose Untrust (it means from LAN to WAN). Then press the New button to edit the policy rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 34 VPN policy for the opposite direction. Then, press OK button to save your settings. 15) After applying the settings, the new policy rules will be displayed in the Policies page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 35 17) Ping the remote host and switch to VPNs > Monitor Status to check the VPN link status. If the Link status is Up, it means the VPN tunnel between ZyWALL and NetScreen has been successfully built. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 36: Zywall With Sonicwall Vpn Tunneling
ZyWALL 1050 Support Notes 1.2.2.3 ZyWALL with SonicWall VPN Tunneling This section guides how to setup a VPN connection between the ZyWALL 1050 and SonicWall TZ170. As on the figure below, the tunnel between Central and Remote offices ensures the packet flows between them are secure.
Page 37 2) Using a web browser, login SonicWall by entering the LAN IP address of SonicWall in the URL field. The default username and password is admin/password. 3) Switch to menu Network > Interfaces and configure the WAN/LAN IP address to WAN: 167.35.4.3 LAN: 192.168.2.1/24. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 38 4) Switch to VPN > Settings, check Enable VPN check box and press Add button. This will bring the VPN settings. Note: The VPN Policy Wizard is an alternative way to set up the VPN rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 39 Address is the ZyWALL's WAN IP Address (IP address of the remote gateway). In this example, we use 210.110.7.1 in IPSec Primary Gateway Name or Address text box. Then, enter the key string 123456789 in the text box Shared Secret. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 40 Therefore, we have to create a new address object in the remote network drop down list. Then a new address object window will pop-up. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 41 Network text box and then type 255.255.255.0 in Subnet Mask text box. Then press OK. Now after the address object successfully configured, the new address object “Remote_Subnet” can be selected from the destination network drop down list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 42 8) Switch to Proposals tab. In IKE (Phase1) proposal settings, select Main mode, set DH Group to Group1, Encryption to DES and Authentication to MD5. In IPSec (Phase2) proposal settings, select ESP Protocol, Encryption to DES and Authentication to SHA1. Then press the OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 43 9) Switch to Advanced tab. In the setting VPN policy bound to select Interface WAN. Then press the OK button. 10) The VPN status page will show a new VPN rule. Make sure the rule has been enabled. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 44 11) Ping the remote host to dial up the tunnel. We can check the connected VPN status in the VPN status page. The VPN tunnel should appear in the Currently Active VPN Tunnels page. It should show that the tunnel had been successfully built-up. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 45: Remote Access Vpn
ZyWALL1050’s remote gateway setting it represents “any IPs”. On the other end, the teleworker use ZyWALL VPN client on their notebooks to establish IPSec VPN with the main office. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 46 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 47 Perfect Forward Secrecy (PFS): None Below is a step by step configuration: 1) Login ZyWALL 1050 GUI and go to Configuration > Objects > Address to create an address object (local subnet) for remote access. 2) Create another address object for the remote host. The IP Address of the host should be 0.0.0.0, which means that remote user dials in dynamically.
Page 48 4) To create a VPN rule, go to Configuration > Network > IPSec VPN > VPN Connection. Set Policy as defined in step 1 and step 2. Remote policy should be a dynamic host address. We put VPN Gateway as dynamic as was defined in step 3. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 49 ZyWALL 1050 Support Notes 5) Go to remote host to configure ZyXEL VPN Client. We create a Net Connection set remote access subnet to 192.168.2.x. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 50 ZyWALL 1050 Support Notes In My Identity, select local ID type as Any. Note: Do not forget to enter Pre-Shared Key by clicking the button Pre-Shared Key. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 51 ZyWALL 1050 Support Notes The last step is to go to Security Policy to configure parameters for Phase1 and Phase 2. After saving the configuration, the VPN connection should be initialed from the host site. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 52 [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 [8] authentication pre-share [9] keystring 123456789 [10] local-id type ip 0.0.0.0 [11] peer-id type any [12] xauth type server default deactivate [13] group1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 53 4. The Local and Peer ID type and content must the opposite and not of the same content. 5. The Local Policy of ZyWALL 1050 should be ‘dynamic single host with the value 0.0.0.0’. The VPN tunnel should be initialed from the remote host site.
Page 54: Large-Scale Vpn Deployment
1.4 Large-scale VPN Deployment With the business growing, network administrator will face the more and more complicated VPN topology and applications. ZyWALL 1050 supports various types of VPN topology that can meet the needs of the organizations of any size.
Page 55: Star Topology
Central site Amsterdam Oslo In a Star VPN topology, ZyWALL 1050 acts as a central site (enabling Hub & Spoke VPN) and spoke sites can be any model of ZyWALL series Paris Hannover All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 56 VPN traffic across the HQ to the destination office’s internal network. The VPN configuration parameter Remote Office WAN: 10.59.1.11 WAN: 10.59.1.10 WAN: 10.59.1.17 LAN: 192.168.100.0/24 LAN: 192.168.101.0/24 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 57 I don’t list the detail configuration steps here,. Configure the NL site address object for each remote office subnet Setup NL site address group that includes all the remote office subnets; the address object All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 58 ZyWALL 1050 Support Notes group is used as a policy route destination criterion. The screenshot below is the NL site VPN Gateway status page. NL site VPN Connection status page All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 59 Remote Office WAN: 10.59.1.11 WAN: 10.59.1.17 WAN: 10.59.1.10 LAN: 192.168.101.0/24 LAN: 192.168.100.0/24 LAN: 192.168.119.0/24 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 60 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Setup the remote offices’ subnets address objects for the further VPN configuring. Setup the HQ VPN Gateway for all the remote sites All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 61 The next step is the most important one. We need to build up a VPN concentrator and join all the remote sites’ VPN traffic to it. Switch to ZyWALL 1050 > Configuration > Network > IPSec VPN > Concentrator and then click the add icon to add a new concentrator.
Page 62 Thus, this depends on how customers want to deploy their Global VPN network. We can add the following policy route to allow the HQ subnet to connect with all the concentrator’s remote subnets. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 63 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 64: Star-Mesh Mixed Topology
Asia central site (Singapore) then again routed to the final destination – Tokyo spoke site In a Star-mesh mixed VPN topology, ZyWALL 1050 acts as a regional central site (enabling Hub & Spoke VPN) and spoke sites can be any model of ZyWALL series. The Star –...
Page 65 We can check the status page to confirm the correctness. Please refer to ZyWALL5 user guide for detail interface setting steps. The VPN configuration parameters in Asia Region Regional Remote Sites Regional Center WAN: 179.25.3.24 ZyWALL5 WAN: 179.25.106.124 Local Policy: 192.168.0.0/16 Local Policy: 192.168.12.0/24 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 66 192.168.20.x), ZyWALL 2 Plus (LAN subnet: 192.168.21.x) and ZyWALL70 (LAN subnet: 192.168.22.x) by building one VPN tunnel with local center ZyWALL 1050. Thus a separate VPN tunnel to each remote site is not needed. We will use a class B subnet (192.168.0.0/255.255.0.0) as remote policy in order to include all ranges of the remote policies...
Page 67 VPN status page will brief list the VPN tunnel information like following screen shot after the VPN setting. The VPN can’t be dialed up for testing because the remote ZyWALL 1050 didn’t setup the corresponding VPN tunnel until now. The test and debug can start only after both sites’...
Page 68 Please make sure to activate the “VPN rules skip applying to the overlap range of local and remote IP addresses” option before starting to setup the VPN tunnel. The VPN tunnel status page after configured the local center ZyWALL 1050 tunnel. As soon as we finish the configuration of ZyWALL5 and ZyWALL35, we can move to ZyWALL 1050’s configuration.
Page 69 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Please refer to the application topology to setup the ZyWALL 1050 interface first. We can move to next steps only after setting up the interface. We use ge1 as LAN interface and IP address is 192.168.10.1/255.255.255.0.
Page 70 ZyWALL70 (192.168.22.0) it will match these two addresses’ object ranges and ZyWALL 1050 can do next processing. This ZyWALL 1050 is the local center of Asia region. We need to setup the VPN tunnel between local sites ZyWALL5 and ZyWALL35 and Europe region center ZyWALL 1050.
Page 71 The next step is to create the VPN connection (IPSec / IPSec Phase2). Make sure the parameters are configured correctly, otherwise the VPN will fail to dial. Below is the VPN connection global page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 72 VPN concentrator. Switch to Concentrator sub menu and click the Add icon to add a new concentrator. Give a name to this concentrator and then click add icon to make the existing VPN connection become a member of this concentrator. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 73 ZyWALL 1050 Support Notes The remote regional center ZyWALL 1050 VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first and then following the remote concentrator setting will be routed to the destination sites where the traffic destination is the site allocated under remote VPN concentrator.
Page 74 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. ZyWALL70 WAN and LAN interface setting. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 75 Remember to activate “VPN rules skip applying to the overlap range of local and remote IP addresses” option before configuring the VPN tunnel. Follow the VPN parameter table to configure the VPN tunnel. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 76 Authentication: SHA1 Perfect Forward Secrecy (PFS): None Perfect Forward Secrecy (PFS): None Please refer to the application topology to setup the ZyWALL 1050 interface first. Then we can move to setting the VPN. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 77 The needed address objects list is as follows. This ZyWALL 1050 is the local center of Europe region. We need to setup the VPN tunnel between local sites ZyWALL 2 Plus and ZyWALL70 and Asia region center ZyWALL 1050.
Page 78 Now, we already successfully added the three VPN connection rules and we can start to edit our regional VPN concentrator. Switch to the Concentrator sub menu and click the Add icon to add a new concentrator. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 79 Assign a name to this concentrator and then click the add icon to make the existing VPN become the member of this concentrator. The remote regional center ZyWALL 1050 VPN connection is also treated as a member of this concentrator and the packets will be sent to the remote center first and then following the remote concentrator setting will be routed to the destination sites where the traffic destination is the site allocated under remote VPN concentrator.
Page 80 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 81: Access Via Central Site
ZyWALL 1050 Support Notes 1.5 Access via Central Site 1.5.1 VPN Tunnel to Central Site (ZyWALL 70 to ZyWALL 1050) The idea of this scenario is to redirect all the outgoing traffic originated from the branch office to the main office via the VPN tunnel so that the network administrator can manage and control the traffic or apply additional secure access control or inspection.
Page 82 ZyWALL1050 B which is the internet connection gateway of main office. Thus, ZyWALL1050 A will route the traffic from the VPN tunnel and send it to the appropriate place of the packet destination. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 83 Phase 1 Phase 1 Negotiation Mode : Main Negotiation Mode : Main Pre-share key: 123456789 Pre-share key: 123456789 Encryption :DES Encryption :DES Authentication :MD5 Authentication :MD5 Key Group :DH1 Key Group :DH1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 84 1) Login ZyWALL1050 A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP setting as shown in the topology. 2) Go to Configuration > Object >Address to create an address object for all the incoming traffic. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 85 Security Gateway Address and 123456789 as the Pre-Shared Key. For other parameters, we leave them as default. There are no special settings for these parameters and the main concern is to let the VPN peers match each other. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 86 Here, we assume the peer subnet is 192.168.1.x and select the default address object ‘VPN_LAN_SUBNET’ to meet our requirements. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 87 LAN host to internet, thus the next-hop will be ge3 that is connected to the internet gateway ZyWALL 1050 B. The third rule is for the traffic coming from the VPN tunnel and the destination is the internet. Then next-hop will be ge3.
Page 88 [0] crypto map zw70tunnel [1] ipsec-isakmp zw70 [2] encapsulation tunnel [3] transform-set esp-des-sha [4] set security-association lifetime seconds 86400 [5] set pfs none [6] no policy-enforcement [7] local-policy wholerange [8] remote-policy VPN_LAN_SUBNET All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 89 2) Go to Security >VPN to set the IKE rules. We put 172.23.23.1 as My Address, 172.23.23.2 as the Remote Gateway address and 123456789 as the Pre-Shared Key. For other parameters, we set them to match those set in the ZyWALL1050 A. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 90 ZyWALL 1050 Support Notes Go to the Associated Network Policies of this rule to configure the IPSec rule. Please note that the Remote Network should be within 0.0.0.0-255.255.255.255 range. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 91 1) Login the ZyWALL1050 A GUI and go to Configuration > Network > Interface > Ethernet and configure the IP settings as shown in the topology. 2) We have to add one more policy route for the traffic from DMZ (ge4) to internet All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 92 ZyWALL 1050 Support Notes (WAN_TRUNK). After we finish the setting in ZyWALL 70 and ZyWALL 1050 A and B, the setup is complete. The CLI commands for application: Policy Route: [0] policy 1 [1] no deactivate [2] no description [3] no user...
Page 93: Multiple Entry Point (Mep)
1.6 Multiple Entry Point (MEP) To ensure high reliability and high availability of Headquarters’ network access for branch office or teleworker, ZyWALL 1050 supports multiple entry points application to bring the following benefits: 1. Ensuring the network path is always available – if the use of the primary network path fails, user can access the same resources via a backup path 2.
Page 94 2 Plus which supports VPN HA and Dial Backup functions. When the primary WAN access to the VPN tunnel is down, ZyWALL1050 will trigger the dialup backup and establish a VPN tunnel with second secure gateway of another ZyWALL1050 located at the branch office. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 95 One ZyWALL 2 Plus Two ZyWALL 1050 One ES-4024A One modem connecting to ZyWALL 2 Plus’s AUX port (ex. ZyXEL omni.lite com+) One FTP server One PC behind ZyWALL 2 Plus Now, we are going to complete the following main tasks: 1.
Page 96 Subnet, 192.168.1.0 Subnet, 192.168.3.0 Subnet, 192.168.3.0 SNAT Change Change 192.168.3.0 192.168.3.0 192.168.1.0 192.168.1.0 192.168.30.0 192.168.31.0 192.168.1.0 192.168.1.0 Phase1 Negotiation Main Main Main Mode Pre-share key 123456789 123456789 123456789 Encryption Authentication Key Group Phase2 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 97 1. Configuration on ZyWALL 1050-A (1) LAN/WAN Network Setting Login ZyWALL 1050-A’s GUI, go to menu Configuration > Network > Interface. Modify ge2’s IP address to 59.124.163.154 with subnet 255.255.255.224 and gateway 59.124.163.129. Secondly, modify interface “ge1” to be as LAN network. Here we keep to use the default IP address “192.168.1.0”...
Page 98 Host, 59.124.163.152/255.255.255.255 9. Create one more still to indicate ZyWALL 1050-A’s ge2(WAN) IP address for Firewall rule usage which will allow ZyWALL 1050-A’s ge2 to be ping from ZyWALL 2 plus and also can response to the ping. Name: ge2_IP Host, 59.124.163.154/255.255.255.255...
Page 99 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 100 ZyWALL 1050 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 101 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by clicking '+' icon 3. Configure the VPN setting as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 102 ZyWALL 1050 Support Notes Note: In ZyWALL 1050-A, we use “Source NAT” to change the VPN traffic from 192.168.3.0 network which will go to 192.168.1.0 network to 192.168.30.0 network. And we will also configure ZyWALL 1050-B to change the VPN traffic from 192.168.3.0 network which will go to 192.168.2.0 network to 192.168.31.0 network later.
Page 103 WAN and trigger the VPN tunnel then. Click the ‘+’ icon to add another new policy route which will be used to route traffic from ZyWALL 1050-B to return via original path. Define that all the traffic from 192.168.1.0 network that wants to go to 192.168.31.0 routed by the gateway, the host of 192.168.1.254.
Page 104 ES-4024A FTP server (now the packet is with source 192.168.31.0 to destination 192.168.1.33). The FTP server’s gateway is ZyWALL 1050-A’s ge2 applied via DHCP or manually configured. So when traffic would return, it will be flowed from FTP server ZyWALL 1050-A’s ge2 (which will redirect the traffic to another host )
Page 105 After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate [2] no description [3] no user [4] interface ge1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 106 Go to GUI menu Security > Firewall Enable Firewall: On Choose To-ZyWALL rules and click “+” at the right site to add a new rule. Fill out the information as following and click “apply” button then. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 107 ZyWALL 1050 Support Notes The new firewall rule is available as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 108 2. Configuration on ZyWALL 1050-B (1). LAN/WAN Network Setting Login ZyWALL 1050-A’s GUI, go to menu Configuration > Network > Interface. Modify ge2’s(WAN) IP address to 59.124.163.155 with subnet 255.255.255.224 and gateway 59.124.163.129. Secondly, modify ge1’s(LAN) IP address to 192.168.2.1 with subnet 255.255.255.0 and configure it as a DHCP server with the IP poor starting address and pool...
Page 109 Step2. Create an IKE rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Gateway' 2. Create a new IKE by clicking '+' icon 3. Fill out the fields as following. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 110 ZyWALL 1050 Support Notes CLI commands for reference: [0] isakmp policy IKE1 [1] mode main [2] transform-set des-md5 [3] lifetime 86400 [4] no natt [5] dpd [6] local-ip interface ge2 [7] peer-ip 0.0.0.0 0.0.0.0 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 111 Step3. Configure the IPSec rule 1. Go to menu Configuration > Network > IPSec VPN, switch to 'VPN Connection' 2. Create a new IPSec by click '+' icon 3. Fill out the fields as following All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 112 Note that we use Source NAT to change the VPN traffic from 192.168.3.0 which will goes to 192.168.1.0 network and to 192.168.31.0 network. CLI commands for reference [0] crypto map IPsec1 [1] ipsec-isakmp IKE1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 113 Click the ‘+’ icon to add another policy route which indicates where all the traffic which wants to go to the ZyWALL 1050-A’s LAN network will be routed to. Define that all the traffic that wants to go to 192.168.1.0 network will be routed by the gateway, the host of 192.168.2.254.
Page 114 ZyWALL 1050 Support Notes After the configuration is down, you will see two policy routes as shown below. CLI commands for reference: [0] policy 1 [1] no deactivate All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 115 [3] no user [4] no interface [5] no tunnel [6] source any [7] destination Local_192_168_1 [8] no schedule [9] service any [10] next-hop gateway HOST_192_168_2_254 [11] no snat [12] no bandwidth [13] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 116 2. Telnet or login ZyWALL 2 Plus console and switch to menu 24.8 to enable the pingcheck to detect the WAN connection availability. - Execute the CLI command: sys rn pingcheck 1 3. Add the CLI to autoexec.net to make it always enabled even after device reboot. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 117 (4) VPN Setting 1. Switch to GUI menu Security > VPN, click the ‘+’ icon as following to add a VPN-IKE rule. 2. Configure VPN-IKE setting on ZyWALL 2 Plus as following. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 118 ZyWALL 1050 Support Notes 3. At the same page of menu Security > VPN, click the icon to add a VPN-IPSec rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 119 ZyWALL 1050 Support Notes 4. Configure the IPSec rule as following. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 120 1. Login to ES-4024A’s GUI menu Advanced Application > VLAN > Static VLAN link. 2. Add vlan2 (including port 9-16, Fixed, Untag when Egress process) and vlan3 (including port 17-24, Fixed, Untag when Egress process). Then click the Add button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 121 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 122 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 123 3. Switch to menu Advanced Application > VLAN > VLAN Port Setting link. Configure PVID equal to 2 for port 9 ~16 and PVID equal to 3 for port 17~24 as shown below. Then click the Apply button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 124 1. Enter the ES4024A’s GUI, go to menu Routing Protocol > Static Routing. 2. Define that the traffic that wants to go to the 192.168.31.0/24 network will be routed by the gateway, 192.168.2.1. The configuration is as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 125 3 normal "" fixed 17-24 forbidden 1-16,25-28 untagged 1-28 ip address 192.168.2.254 255.255.255.0 exit interface port-channel 9 pvid 2 exit interface port-channel 10 pvid 2 exit interface port-channel 11 pvid 2 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 126 3 exit interface port-channel 19 pvid 3 exit interface port-channel 20 pvid 3 exit interface port-channel 21 pvid 3 exit interface port-channel 22 pvid 3 exit interface port-channel 23 pvid 3 exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 127 Keeping Ping from the PC(ex. IP with 192.168.3.33) behind ZyWALL2 Plus to the FTP server(ex. IP with 192.168.1.33), it will be reachable after the primary VPN tunnel is on. See the screen capture of ZyWALL 2 Plus’s log as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 128 See the screen capture of the progress as shown below at this step. The ZyWALL 2 Plus’s IKE detect the tunnel is down and send HASH-DEL packet out. (However, since the Internet access is down, so ZyWALL 1050-A won’t receive those HASH-DEL packets.) The dial backup starts right away then.
Page 129 ZyWALL 1050 Support Notes The screen capture below shows you the dial backup gets dynamic IP 218.32.98.40. And the IPSec HA take action after several IKE packets sent without any packet returned. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 130 ZyWALL 1050 Support Notes Then ZyWALL 2 Plus tries to establish VPN tunnel with ZyWALL 1050-B (59.124.163.155). All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 131 ZyWALL 1050 Support Notes Finally, the VPN tunnel has been successfully established with ZyWALL 1050-B. And the PC behind ZyWALL 2 Plus can ping the FTP server then. See the screen capture shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 132: Device High Availability
In the Global or multi-site Enterprise network deployment, reliability is another major concern while planning a VPN deployment. ZyWALL 1050 provides advanced features to support the following scenarios to achieve high availability of the VPN infrastructure. The benefits for the customer are ‧...
Page 133: Device Ha
1.1. Interface setup The default LAN subnet is combined with ge1 and default IP is 192.168.1.1. Please connect to ge1 and ZyWALL 1050 will dispatch an IP for your PC. Then we can start to setup the basic interface and routing setting.
Page 134 ZyWALL 1050 Support Notes Step2. We can check all the interface information on the Status display page. Step3. Setup WAN1, WAN2, LAN and DMZ interface IP parameters as in the demo All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 135 The default interface configuration is as follows. We will configure ge2, ge3, ge4 and ge1 in turn. User needs to click the “Edit” icon to modify the setting. ge2 Fix IP: 220.123.123.2/255.255.255.0 Gateway: 220.123.123.1 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 136 ZyWALL 1050 Support Notes ge3 Fix IP: 220.123.133.2/255.255.255.0 Gateway: 220.123.133.1 ge4 Fix IP: 192.168.20.254/255.255.255.0 DHCP server All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 137 ZyWALL 1050 Support Notes ge1 Fix IP: 192.168.10.254/255.255.255.0 DHCP server All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 138 ZyWALL 1050 Support Notes User’s pc network connection will disconnect and get the new IP address from ZyWALL 1050 after applying ge1’s new setting. 1.2. Configure the interface to correspond Zone All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 139 ZyWALL 1050 Support Notes Step1. Switch to ZyWALL 1050 > Configuration > Network > Zone and click the “Edit” icon to modify the setting. Step2. The default setting of ZyWALL 1050 is having three Zones. User can add more Zones or modify the Zone’s name if they wish. The main purpose of Zone is to add the security checking between different interfaces.
Page 140 Step1. Switch to ZyWALL 1050 > Configuration > Objects > Address > Address and we will find there is one default LAN_SUBNET address object.
Page 141 There is one default policy route form LAN for the traffic outgoing to the network behind WAN. Switch to ZyWALL 1050 > Configuration > Policy > Route > Policy Route or Static Route to check the routing settings. User can click the “Edit” icon to check the detail settings...
Page 142 1.4. Setup Device HA (Activate-Passive) We will configure the Device HA setting on master ZyWALL 1050 first. Then we can connect the Backup ZyWALL 1050 cables to L3 and L2 switch and then synchronize the configuration from Master.
Page 143 ZyWALL 1050 Support Notes Setup the ge1 (LAN) VRRP group Setup the ge2 (WAN1) VRRP group All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 144 ZyWALL 1050 Support Notes Setup the ge3 (WAN2) VRRP group Setup the ge4 (DMZ) VRRP group All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 145 ZyWALL 1050 Support Notes Step2. Connect the PC to Backup ZyWALL 1050 ge1 and the PC should be dispatched an IP address from the device. User can login to the Backup ZyWALL 1050 and configure the Backup Device HA setting. We have to set the ge1 interface IP setting as Master ZyWALL 1050 ge1.
Page 146 HA > VRRP GROUP. Then click the ”add” icon to add a VRRP group. Between Master and Backup Role, the difference in settings is the Management IP configuration. The Backup ZyWALL 1050 will copy all settings from the Master one so we need a management IP to access and configure the Backup ZyWALL 1050.
Page 147 ZyWALL 1050 Support Notes Step4. Unplug the PC cable from Backup ZyWALL 1050 ge1 and plug it back to L2 switch LAN segment. Connect all the cables from L2 and L3 switches to the Backup ZyWALL 1050 as on the network topology diagram shown on the index page. Login to Backup ZyWALL 1050 via management IP.
Page 148 ZyWALL 1050 Support Notes synchronize the configuration from the Master to the Backup. Note: Don’t check the “Auto Synchronize” since there is a bug related. Sync process in action Sync successful notification window All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 149 ZyWALL 1050 Support Notes Switch to ZyWALL 1050 > Maintenance > Logs > View Log to check the log record. Step6. Check the system status page. You will see that the Master ZyWALL 1050’s configuration has been synchronized to Backup ZyWALL 1050 and we can continue to setup the rest three VRRP group.
Page 150 ZyWALL 1050 Support Notes Setup the ge3 (WAN2) VRRP group Setup the ge4 (DMZ) VRRP group All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 151: Vpn Ha
Step1. Setup the VPN at Master ZyWALL 1050 Switch to ZyWALL 1050 > Configuration > Network > IPSec VPN > VPN Gateway and click the “Add” icon to add a VPN gateway.
Page 152 As My Address, we use Domain Name 0.0.0.0 defining a dynamic source as this VPN gateway will be accepting the traffic from ge2 (WAN1) and ge3 (WAN2). Setup the DNS ”ZyWALL 1050” and “ZyWALL 2”as Local and Peer ID type. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 153 DMZ subnet as a VPN local policy and we also need to add the address object for a remote subnet. Switch to ZyWALL 1050 > Configuration > Objects > Address > Address and we will find the LAN subnet already setup and we need to click the “Add” icon to add one more address object.
Page 154 Set the 192.168.1.0 subnet as the remote address object. Get back to the overview of the address object page. You can see that three address object R and VPN REMOTE has already been set up. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 155 We have to setup the policy route for the VPN traffic routing to LAN and DMZ. Switch to ZyWALL 1050 > Configuration > Policy > Route > Policy Route and add the policy route for the VPN traffic to LAN and DMZ.
Page 156 Step6. Connect the PC to ZyWALL 2 Plus and set the VPN settings. In this step, we have to configure two VPN policies for remote ZyWALL 1050 LAN subnet and DMZ subnet. Login ZyWALL 2 Plus and switch to the VPN configuration page.
Page 157 Click the Add icon to edit the VPN Network Policy. Setup the VPN policy for local LAN subnet (192.168.1.0/24) and Remote address type set to “Range Address” and IP is from 192.168.10.0 to 192.168.20.255. Click Apply to save the configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 158 Ping the remote subnet to trigger the VPN tunnel. User can unplug the WAN1 connection cable and test the VPN HA functionality now! Supposedly the VPN connection will switch to WAN2 connection in several seconds. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 159: Voip Over Vpn
‧ Prevent from identity theft (VoIP over VPN) ‧ Mitigate impact of denial of service We use a simple topology to illustrate and show how ZyWALL 1050 can protect the VoIP line step by step in the following notes. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 160 LAN: 192.168.10.0/24 LAN: 192.168.22.0/24 We used two VoIP ATA (ZyXEL P2002 series) connected to office gateway. Each of the VoIP ATA has a SIP number for remote ATA dialing. This kind of application is called Fix VoIP Line application. User only needs to install and configure VoIP ATA device and doesn’t need to register with an external SIP server.
Page 161 ZyWALL 1050 Support Notes Switch to the Maintenance menu and check what IP address was granted from ZyWALL 1050. Connect to the other P2002 GUI and repeat the same steps to find out the IP address. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 162 ZyWALL 1050 Support Notes 1. Setup the SIP Number in the Branch Office. 2. Setup the SIP Number in the Main Office. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 163 ATA and then click the Add button to add this record in the Speed Dial Phone Book. 4. Setup the Main Office SIP number and the IP address in the Branch Office’s P2002’s PHONEBOOK menu. The remote office SIP info will show up in Speed Dial Phone Book All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 164 Main Office ZyWALL 1050 Configuration: 1. Login to the ZyWALL 1050 Web GUI and setup the ZyWALL 1050 WAN and LAN interface as shown on the previous topology diagram. 2. Setup the remote subnet address object for the subnet behind the remote office ZyWALL70.
Page 165 Office. Switch to ZyWALL 1050 > Configuration > Network > IPSec VPN > VPN Gateway and add a new VPN gateway rule. 4. Switch to ZyWALL 1050 > Configuration > Network > IPSec VPN > VPN Connection and add a new VPN connection. The local and remote policy are the Address objects LAN_SUBNET and zw70VPN_LAN.
Page 166 ZyWALL 1050 Support Notes 5. Switch to ZyWALL 1050 > Configuration > Policy > Route > Policy Route to add a policy route for routing the local subnet traffic to the remote branch office subnet via the tunnel - zw70VPN.
Page 167 6. We have finished the VPN connection and routing configuration. Now we can start to setup the security checking rule over this VPN tunnel. Switch to ZyWALL 1050 > Configuration > Network > Zone and add a new Zone for VPN.
Page 168 8. We also can use IDP to detect and intercept the intrusion in the VPN tunnel. Switch to ZyWALL 1050 > Configuration > Policy > IDP and follow the steps shown on the diagram below to add the IDP protection to the VPN zone.
Page 169 ZyWALL 1050 Support Notes shown in the previous topology diagram. 2. Configure the VPN tunnel for connecting with ZyWALL 1050. We can start to enjoy the VoIP Phone Line convenience and cost saving without security issues after the VPN connection and security policy enforcement have been deployed in the network environment.
Page 170: Security Policy Enforcement
IM/P2P applications, managing IM/P2P application well can mitigate security breaches. Besides, restricting access to IM/P2P applications can help employees focusing on his/her job to increase productivity and reduce misuse of network resources, e.g. bandwidth. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 171: What Does Zywall 1050 Provide For Managing Im/P2P Applications
ZyWALL 1050 Support Notes 2.1.2 What does ZyWALL 1050 provide for managing IM/P2P applications? ZyWALL provides best solution to solve the rigidity of the “all-or-nothing” approach and can meet customer’s expectation. 1. Application patrol: it can “recognize” IM/P2P applications and IT administrators can leverage it to restrict access to IM/P2P applications 2.
Page 172: Configuration Example
We are going to complete following setting. 1. Create user/group object 2. Create schedule object 3. Configure layer 7 application control -- App Patrol 4. Configure Policy Route 5. Configure IDP All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 173 [1] username Victor description Local User [2] username Victor logon-lease-time 1440 [3] username Victor logon-re-auth-time 1440 3. Switch to the Group tab, create group ‘Manager’ and add member ‘Victor’ to it on the following figure. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 174 5. Create two more group ‘Engineer1’ and Engineer2’ to and add ‘Peter’ and ‘John’ in similarly. Step2. Create schedule object 1. Go to menu Object > Schedule, click the “+” from the Recurring schedule to create a new schedule as following figures. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 175 3. Choose the application to define further setting. In Instant Messenger and Peer-to-Peer category, there are several applications allowed to be configured. We take ‘MSN’ for example. Click the modify icon to get to the further configuration. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 176 6. Choose access ‘Drop’, then the action in the exception policy will change to ‘Forward’ automatically. 7. Click ‘+’ to add two exception rules for 2 groups, Engineer2 and Manager, as on the figure shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 177 [14] no schedule [15] user Manager [16] source LAN_SUBNET [17] no destination [18] no log [19] exit Step4. Configuration of the Policy Route 1. Got to menu Configuration > Policy > Route All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 178 Enter the maximum bandwidth 100Kbps. 4. Press the OK button to complete the setting. Corresponding CLI commands for your reference [0] policy 1 [1] no deactivate [2] description IM_access_by_Engineer2 [3] user Engineer2 [4] no interface All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 179 2. Then create an IDP profile by going to the menu Policy > IDP > Profile tab > Packet inspection tab. 3. Name it as ‘IM_P2P’ and enable IM and P2P from application list. 4. Click Ok button then. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 180 ZyWALL 1050 Support Notes 5. Back to IDP > General, choose the IDP profile we just created for WAN zone as on the figure below. 6. Enable it and click Apply button then. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 181 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 182: Managing Wlan
We recommend that Wireless AP must be isolated from your Intranet. Also, there must be a mechanism to centrally manage access privileges and access credentials regardless of whether the clients are wired or wireless. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 183 Interface name is vlan10 (same as the vlan tag id for its not being confusing). Choose ‘ge5’ for physical port interface that we want to bind with. Virtual VLAN Tag is 10. Give it a clear description. Use the fixed IP address with 192.168.10.1/24. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 184 ZyWALL 1050 Support Notes Leave other fields as default and press ‘ok’ button Step2. Define WLAN zones Go to menu Network > Zone. Define a zone for wireless and bind it to interface “vlan10”. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 185 2. Go to menu User/Group > Setting > Force User Authentication Policy, click ‘+’ to force all the packets from wireless network to be redirected to the authentication page. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 186 ZyWALL 1050 Support Notes Step4. Configure the LDAP server information. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 187 2. Co-work with LDAP server admin to create user/groups with lease time / re-authentication time attributes configured. 3. Go to menu User/Group > User, configure user “ldap-users” for “non-employees” by clicking the modify icon. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 188 [3] username ldap-users logon-re-auth-time 30 Corresponding CLI commends for your reference [0] username ldap-employee user-type ext-user [1] username ldap-employee description External User [2] username ldap-employee logon-lease-time 1440 [3] username ldap-employee logon-re-auth-time 1440 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 189 3. Go to menu System > WWW, make sure the authentication method is the profile we just modified. (That is, if I just have created another profile which is not named as ‘default’, then here we have to choose it.) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 190 1. Go to menu Network > Firewall 2. Enable firewall and choose from the zone “Wireless_Zone” that we just created and to each zone. Here we configure to zone “WAN” first. 3. Click ‘+’ to add rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 191 4. Configure a rule to allow employee access from the source “wireless network” to “any” in WAN. Corresponding CLI commands for your reference [0] firewall 8 [1] no schedule [2] user ldap-employee [3] sourceip Wireless [4] no destinationip All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 192 6. After this, you will see the results as on the figure below. Click Apply button. Corresponding CLI commands for your reference [0] firewall activate [1] no firewall asymmetrical-route activate [2] firewall 8 [3] activate [4] exit [5] firewall 9 [6] activate [7] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 193 ZyWALL 1050 Support Notes 7. Continue to configure WLAN-to-LAN, WLAN-to-DMZ, WLAN-to-WLAN. Those are accessible for employees only. See the following figures. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 194: Employee Internet Management (Eim)
Regulatory compliance–get rid of porn/violent web contents that may bring legal issues 2.3.2 EIM on ZyWALL 1050 ZyWALL 1050 supports EIM through the following features. Flexible access policy: provides the Enforce Access policy with granularity Always up to date: query dynamically updated URL database...
Page 195 Step1. Make sure the Internet access has been configured well from PC behind ZyWALL 1050. By default, ge2 and ge3 of ZyWALL 1050’s WAN ports will get the IP address from the ISP or the DHCP server in front of ZyWALL 1050. Connect an Ethernet cable to ZyWALL 1050’s...
Page 196 ZyWALL 1050 Support Notes ge2 or ge3 and on the GUI Home page check whether ZyWALL 1050 gets the IP address. Make sure ZyWALL 1050 can access the Internet using CLI commands via console or telnet. See the example shown below.
Page 197 ZyWALL 1050 Support Notes Step2. Login the ZyWALL 1050’s GUI, Go to menu Registration. Complete the user, product, and Content Filter service registration on myZyXEL.com. Here the Content Filter service enabling by activating the trial period is shown. If you are new to myZyXEL.com registration, choose ‘Create a new user’.
Page 198 Click the modify icon to configure the trusted website list. Switch to Customization tab, enable the web site customization. Add the website, www.zyxel.com for example, to the trusted websites. Click OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 199 Then follow the similar configuration to create another filtering profile for Sales department. For example, we add an extra access restriction to the websites with ActiveX and Cookies features as configured on the figure below. Click OK button. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 200 ZyWALL 1050 Support Notes After it’s done, you will see two profiles as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 201 [13] content-filter profile Sales-profile custom trust www.zyxel.com Step4. Switch to menu Configuration > Object > Address, create two Address Objects to define the IP address range for the Engineer and the Sales department. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 202 [0] content-filter block message The web access is restricted. Please contact with administrator. [1] content-filter policy insert 1 none any Engineer-IP-range Engineer-profile [2] content-filter policy insert 1 none any Sales-IP-range Sales-profile [3] content-filter activate All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 203 ZyWALL 1050 Support Notes Then when Engineers try to surf Interface behind ZyWALL 1050, the HTTP requests will be inspected by the Engineer filter profile whereas Sales’ Internet access will be inspected by the Sales filter profile. For example, if an engineer with PC’s IP address 192.168.1.101 is trying to access http://www.playboy.com, it will return the warning message on the browser.
Page 204: Seamless Incorporation
With transparent firewall, you do not need to change the IP addressing scheme of your existing network topology. What you need to do is to insert ZyWALL 1050 into your existing network environment. Bridge the ports you think that need to be included in this bridge interface.
Page 205 To make this scenario works the follow the configuration steps as stated below: 1) Login the ZyWALL 1050 GUI and setup the ge2 interface for internet connection and manually assign a static IP. The configuration path is ZyWALL 1050 > Configuration >...
Page 206 3) Switch to Configuration > Policy > Route > Policy Route, to modify the default rule there. The default rule is for the Router Mode (NAT Mode). Since we have two different modes co-existing here, we need to make some adjustments to this rule. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 207 [1] no deactivate [2] no description [3] user admin [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop interface br1 [10] snat outgoing-interface [11] no bandwidth All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 208 ZyWALL 1050 Support Notes [12] exit Tips for application: Disable the Firewall to test the connectivity. Every time you make a change, don’t forget to click the “apply” button All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 209 To make this scenario work; follow the configuration steps stated below: 1) Login ZyWALL 1050 GUI and setup the ge2 interface for internet connection and manually assign a static IP. Login ZyWALL 1050 GUI and go to Configuration > Network > Interface > Edit > ge2 2) Switch to Configuration >...
Page 210 192.168.1.55 map-type port protocol tcp original-port 80 mapped-port 80 3)Switch to Configuration > Objects > Address, and add a new address object for your Web server. CLI to create an address object [0] address-object WebServer 192.168.1.55 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 211 [8] to LAN [9] log [10] activate [11] description WebServerFW [12] exit Tips for application: Do not forget to place your rule before the default “Deny all” Rule in the WAN-to-LAN direction. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 212 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 213: Zone-Based Idp Protection
ZyWALL 1050 Support Notes 3.2 Zone-based IDP Protection ZyWALL 1050 comes with a state of art Intrusion Detection Protection System (IDP) which can provide comprehensive and easy to use protection against current and emerging threats at both the application and network layer. Using industry recognized state of art detection and prevention techniques;...
Page 214 IDP profiles to them. Here are the steps: 1) Login the ZyWALL 1050 GUI and go to Configuration > Network > Interface > Ethernet. Since we are going to have three intra-networks in our scenario, we will make GE4 and GE5 another two networks for DMZ and LAN2.
Page 215 ZyWALL 1050 Support Notes Tips: You do not need a Gateway here since this interface is directly connected to ZyWALL 1050. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 216 Since we need GE5 for our LAN2 Zone, we will need to remove the interface GE5 from the DMZ Zone. Click the “edit” icon of DMZ Zone and then click on the “remove” icon of the GE5 interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 217 6) Put the name “LAN2” and click the “+” icon again to bind the interface to this Zone. Now we only have one interface in this Zone. It is not necessary to care about any Intra-zone traffic. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 218 7) Since GE5 is the only interface left, GE5 will be automatically selected. Finally click “OK” to apply the new setting. 8) Before you apply the IDP profiles, you need to make sure that the IDP Service on your ZyWALL 1050 is licensed. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 219 Each ZyWALL 1050 comes with a 30 days free trial on IDP Service. Just register your ZyWALL 1050 and your ZyWALL 1050 will receive the license automatically. Here a page which is already registered is shown.
Page 220 [1] ip address 192.168.2.1 255.255.255.0 [2] ping-check default-gateway [3] ping-check default-gateway period 30 [4] ping-check default-gateway timeout 5 [5] ping-check default-gateway fail-tolerance 5 [6] no ping-check activate [7] exit [8] router rip [9] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 221 CLI commands for removing GE5 from the DMZ Zone: [0] zone DMZ [1] block [2] no interface ge4 [3] no interface ge5 [4] interface ge4 [5] exit CLI commands for creating the LAN2 Zone: [0] zone LAN2 [1] no block All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 222 CLI commands for activating the IDP service: [0] idp activate [1] idp zone LAN activate [2] no idp zone WAN activate [3] idp zone DMZ activate [4] no idp zone LAN2 activate All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 223: Networking Partitioning Using Vlan
ZyWALL 1050 is VLAN aware and it supports virtual interface as well. With ZyWALL 1050, you can run a maximum number of thirty two VLANs. As a result, it makes networking partitioning very easy. However, a VLAN-capable L2 switch is required to create the VLAN tags in front of ZyWALL 1050.
Page 224 VLAN virtual interfaces on port 1. These are VLAN10, VLAN 20 and VLAN30. In this scenario, the VLAN aware Switch will need to apply VLAN10, VLAN20 and VLAN30 802.1q tags to the corresponding packets and send all the packets to the ZyWALL 1050 port 1 through a single physical RJ45 cable.
Page 225 ZyWALL 1050 Support Notes 3) By following the above steps you can create another two VLAN interfaces. (VLAN20 and VLAN30). The CLI commands to create the above VLAN10: [0] interface vlan10 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 226: Adding Vlan Virtual Interfaces To The Zone
VLANs. To create these zones, please follow the configuration steps as below: 1) Login ZyWALL 1050 GUI and go to Configuration > Network > Zone. Then click the “+” to create a new zone.
Page 227 However, it may not be the one that you have been looking for. Thus, you will need to click on the box of the interface and choose the one that you are looking for. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 228 ZyWALL 1050 Support Notes 4) Finally, click “OK” to apply your settings. 4) Repeat the above steps to create the other two Zones for VLAN20 and VLAN30. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 229: Applying Firewall Policy To The Zone Of Vlans
To create those two rules, please follow the configuration steps as stated below: 1) Login the ZyWALL 1050 GUI and go to Configuration > Policy > Firewall. Check “Enable Firewall” to activate your Firewall. Then pick your Zone pairs and click the “+” icon to create a new firewall rule especially for your selected pair.
Page 230 12) It is optional to give this rule a description. If you want to allow anything or block anything, just simply choose “allow” or “deny” as the option of “Access”. Option “Reject” means dropping the packets that match with this rule silently. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 231 Zone to “LAN_VLAN20” Zone. The CLI commands for the above actions: [0] firewall Finance Secret insert 1 [1] no schedule [2] no user [3] no sourceip [4] no destinationip [5] no service [6] action deny All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 232 ZyWALL 1050 Support Notes [7] from Finance [8] to Secret [9] no log [10] activate [11] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 233: Connecting Multiple Isp Links
WAN Link. Basically, ZyWALL 1050 can build up to 12 PPPoE WAN links via one single port or having multiple fixed links over four physical ports. Moreover, ZyWALL 1050 supports an easy management feature for all your WAN Links.
Page 234 ZyWALL 1050 Support Notes 1) Login ZyWALL 1050 GUI and go to Configuration > Network > ISP Account. Then click the “+” to create a new account for a PPPoE connection. 2) Now, on the screen, you can give a name to this profile. Select the protocol as PPPoE.
Page 235 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface. All other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 236 7) Now all the PPPoE interfaces are created. And all of them are desired to be added to the WAN Zone as well. Go to Configuration > Network > Zone to click on the modify icon All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 237 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 238 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 239 Bandwidth” here are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all three PPPoE interfaces are added into this WAN_Trunk interface. Remove the fixed links on GE2 and/GE3 if you want. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 240 [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown [2] description ISP1 [3] mtu 1492 [4] upstream 1048576 [5] downstream 1048576 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 241 [7] interface ge2 [8] interface ge3 [9] exit CLI commands to add those three PPPoE interfaces into the WAN_Trunk interface [0] interface-group WAN_TRUNK [1] mode trunk [2] algorithm llf [3] no interface ge2 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 242 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 243: Multiple Fixed Wan Links
3.4.2 Multiple fixed WAN links Besides multiple PPPoE links, fixed links are also supported on ZyWALL 1050. With ZyWALL 1050, you can have at most 4 fixed links for a WAN. Here is an example with 2 fixed links on GE2, GE3 and GE4.
Page 244 3) Now since GE4 is in the DMZ Zone by default, we will need to release it for us to use. Go to Configuration > Network > Zone and click on the modify icon of DMZ. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 245 5) Next, we will need GE4 to join the WAN Zone in order for us to be able to apply a single WAN policy on ZyWALL 1050. Go to Configuration > Network > Zone and click on the modify icon of WAN Zone.
Page 246 ZyWALL 1050 Support Notes 6) Click the “+” icon again to make the new interface to join this Zone. 7) Since GE4 is the only free interface here, it will be selected automatically. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 247 Configuration > Network > Interface > Trunk and click on to modify the settings of the WAN_Trunk. 9) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 248 10) Click the box below to switch the interface from GE1 to GE4. Click OK and to complete the setup of this scenario. CLI commands to configure the IP information on GE4: [0] interface ge4 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 249 [4] interface ge5 [5] exit CLI commands to join GE4 to the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ge4 [5] interface ge2 All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 250 [2] algorithm llf [3] no interface ge2 [4] no interface ge3 [5] no interface aux [6] interface 1 ge4 [7] interface 2 ge2 [8] interface 3 ge3 [9] interface 4 aux passive [10] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 251 ZyWALL 1050. Here is an example. Asdfasdf First of all, we are going to configure three PPPoE links on ZyWALL 1050. Also, we will assign GE2 to connect with the enabled DHCP Client as a Fix link, since DHCP Server is enabled on the E1 Router.
Page 252 3) Since we have three PPPoE links in our scenario, you will need two additional PPPoE accounts here as well. Repeat the above steps to create all the other accounts. Your final PPPoE account summary screen should look like this. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 253 PPPoE connections are coming from GE2. Thus, we pick GE2 as our base interface. Pick the account profile that you want to apply for this PPPoE interface; all other remaining settings are either optional or depending on the requirements of your ISP. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 254 6) Repeat the above steps to create the other two PPPoE Interfaces. Then you should get a screen that looks like this. If you want to connect your PPPoE interface manually, click on the icon below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 255 9) Now check the box below to pick PPP1 as the Interface to join the WAN Zone. Repeat the above steps to add PPP2 and PPP3 into the WAN Zone as well. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 256 10) Second, we will need to add all three of our PPPoE Interfaces into the WAN Trunk interface. Please go to Configuration > Network > Interface > Trunk 11) Click on the “+” icon to add a new interface into this WAN_Trunk interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 257 “Passive” here. The “Downstream Bandwidth” and the “Upstream Bandwidth” are the values used for reference of the Load Balancing Algorithm. 13) Repeat the above steps until all the three PPPoE interfaces are added into this WAN_Trunk interface. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 258 [0] account pppoe ISP1 [1] user test1@isp1.com [2] password abcdefg [3] authentication chap-pap [4] compression no [5] idle 0 [6] exit CLI commands to create a PPPoE interface [0] interface ppp1 [1] no shutdown All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 259 CLI commands to add all the PPPoE interfaces into the WAN Zone: [0] zone WAN [1] block [2] no interface ge2 [3] no interface ge3 [4] interface ppp3 [5] interface ppp2 [6] interface ppp1 [7] interface ge2 [8] interface ge3 [9] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 260 [4] no interface ge3 [5] no interface aux [6] interface 1 ppp3 [7] interface 2 ppp2 [8] interface 3 ppp1 [9] interface 4 ge2 [10] interface 5 ge3 [11] interface 6 aux passive [12] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 261: Guaranteed Quality Of Service
3.5.1 Priority & Bandwidth management ZyWALL 1050 supports both prioritizing and bandwidth management for outgoing traffic. IT administrator can define bandwidth management policies to ensure quality of running services in their network environment.
Page 262 To fulfill this scenario; please follow the configuration steps as below: 1) By default, ZyWALL 1050 created a WAN Trunk interface for you. Thus, you don’t need to worry about WAN Trunk in this scenario. Now, we will need to create those Bandwidth Management policies for our application.
Page 263 We can assign this policy a relatively high priority (like 100) just in case the bandwidth is not enough at all but SMTP service can still get more bandwidth than the other type of network services. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 264 3) Repeat the above steps to create two more policy routes for “WWW” and “FTP” services. In the policy route you can set their Maximum Bandwidth to 800Kbps and 100Kbps along with a priority value. Below is what you should get so far: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 265 WAN is 1.5Mbps. Now we already spent 400kbps for SMTP, 800kbps for HTTP, and 100kbps for SMTP. What left over is 200kbps available to us; thus, we can apply it for the remaining traffic, which is our default route. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 266 ZyWALL 1050 Support Notes 5) Modify the values of bandwidth and priority here in the default policy route. Click “OK” to apply. 6) Now the final list should look like the one below: All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 267 [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 400 priority 100 [12] exit CLI commands for applying bandwidth and priority to the default policy route: [0] policy 4 (the number of your default policy) All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 268 [3] no user [4] interface ge1 [5] source LAN_SUBNET [6] destination any [7] no schedule [8] service any [9] next-hop trunk WAN_TRUNK [10] snat outgoing-interface [11] bandwidth 200 priority 1024 [12] exit All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 269: A. Device Management Faq
A01. How can I connect to ZyWALL 1050 to perform administrator’s tasks? You can connect your PC to ZyWALL 1050 port 1 interface with Ethernet cable, which is most left Ethernet port. You will get the IP address automatically from DHCP by default. Connect to http://192.168.1.1...
Page 270 Control” configuration table is for controlling user login with access user-type to perform user access task including User and Guest. A04. Why ZyWALL 1050 redirects me to the login page when I am performing the All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 271: A05. Why Do I Lose My Configuration Setting After Zywall 1050 Restarts
ZyWALL 1050 Support Notes management tasks in GUI? There may be several reasons for ZyWALL 1050 to redirect you to login page when you are doing configuration. 1. Admin user’s re-auth time (force re-login time) has reached. The default time value is 24hours.
Page 272 Set the transfer mode to binary (use “bin” in the Windows command prompt). (4). Reload the firmware. (ex. use command “put 1.00(XL.1)C0.bin” to upload firmware file) (5). Wait the FTP uploading completed and it will restart the ZyWALL 1050 automatically. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 273: B. Registration Faq
No. The device and service registration information are NOT stored in flash which is temporary memory. So it will not be erased after ZyWALL 1050 is reset to system defaults. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 274: C. File Manager Faq
C. File Manager FAQ C01. How can ZyWALL 1050 manage multiple configuration files? From ZyWALL 1050 GUI menu File Manager > Configuration File, it allows admin to save multiple configuration files. Besides, Admin could “manipulate” files, such as to upload, delete, copy, rename, download the files, and apply a certain file to hot-switching the configuration without hardware reboot.
Page 275: C05. How To Write A Shell Script
Other settings do not change. C05. How to write a shell script? You can edit shell scripts in a text editor and upload them to the ZyWALL 1050 through GUI menu File manager > Shell Script tab. Some notes as followings.
Page 276: D. Object Faq
D01. Why does ZyWALL 1050 use objects? ZyWALL 1050 objects include address, service, schedule, authentication method, certificate, zone, interface group and ISP account objects. The ZyWALL 1050 uses objects as a basic configuration block. It can simplify the configuration change once your have some change in the network topology.
Page 277: E. Interface Faq
LAN PCs. So make sure all the interfaces that provide DNS server don’t go down because of link down, ping-check or All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 278: E05. Why Does The Ppp Interface Dials Successfully Even Its Base Interface Goes Down
ZyWALL will try to maintain connectivity. E06. What is the port grouping used for in ZyWALL 1050? We can group two or more ports (up to five) together to form up a port grouping. For example, we group port1 and port2 together and the representative port is port1.
Page 279: F. Routing And Nat Faq
IPsec tunnel, you need to select “VPN tunnel”. Please note that the policy routes will be matched in order. If the first route matches the criteria, ZyWALL 1050 will use the route setting to direct the traffic to the next hop.
Page 280: F03. How To Limit Some Application (For Example, Ftp) Bandwidth Usage
3. Main table, which includes routes learned from RIP/OSPF, static routes and default routes. F05. Why can’t ZyWALL 1050 ping to the Internet host, but PC from LAN side can browse internet WWW? This is mainly caused by your interface configuration. If you setup two WAN interfaces, which have gateway IP address configured, the default route will have two entries added in ZyWALL 1050.
Page 281: F08. Why Don't The Port Trigger Work
ZyWALL 1050 Support Notes interface, ZyWALL 1050 will select this as default route and traffic can’t go out from the ZyWALL 1050. F06. Why can’t I ping to the, Internet, after I shutdown the primary WAN interface? ZyWALL 1050 routes packets by checking session information first. Once packet matched a session that is already created, it would not lookup the routing table.
Page 282: F10. Why Can't Zywall Learn The Route From Rip And/Or Ospf
F10. Why can’t ZyWALL learn the route from RIP and/or OSPF? ZyWALL blocks RIP/OSPF routing advertisement from WAN/DMZ by default. If you find that it fails to learn the routes, check your firewall to-ZyWALL rules. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 283: G. Vpn And Certificate
ZyWALL 1050 VPN traffic is the route base VPN, this means we need to configure a policy route rule to guide the ZyWALL 1050 how to route the VPN traffic to the VPN remote subnet. We can check if our VPN parameter setting is working by clicking connect icon after VPN tunnel has configured in both gateway.
Page 284: G03. Vpn Connections Are Dialed Successfully, And The Policy Route Is Set. But The Traffic Is Lost Or There Is No Response From Remote Site
ZyWALL 1050 Support Notes We need a policy route to notify the ZyWALL 1050 send the packet to VPN tunnel when the packet’s destination address is VPN remote subnet. Please switch to ZyWALL 1050 GUI > Configuration > Policy > Route > Policy Route and check if there is a rule that direct the traffic to VPN tunnel.
Page 285: G05. Why Don't The Inbound/Outbound Traffic Nat In Vpn Work
If the traffic doesn't match the policy and the policy enforcement is active, it will be dropped by the VPN. For Inbound traffic SNAT/DNAT, check if there is a directly connected subnet or a route rule to the destination. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 286: H. Firewall Faq
H03. Can I have access control rules to the device in firewall? If your ZYWALL 1050 image is older than b6, the answer is No. Firewall only affects the forwarded traffic. You need to set the access control rules in system for each service such as DNS, ICMP, WWW, SSH, TELNET, FTP and SNMP.
Page 287: I. Application Patrol Faq
OSI layer 7, regardless of the port numbers. I02. What applications can the Application Patrol function inspect? The Application Patrol on ZyWALL 1050 supports four categories of application protocols at the time of writing. 1. General protocols -- HTTP, FTP, SMTP, POP3 and IRC.
Page 288 To use Port-based option, it could help: (1) Provide a clear port lists which is pre-defined in ZyWALL 1050. For example, it could help user to know the eDonkey service is defined the take action on port 4661 ~ 4665 as shown below.
Page 289 ZyWALL 1050 Support Notes All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 290: J01. Why Doesn't The Idp Work? Why Has The Signature Updating Failed
GUI showing “wait data timeout”. This is because GUI can’t get the IDP module setting result for a period of time, even if the configuration of ZyWALL 1050 is correct. J03. When I want to configure the packet inspection (signatures), the GUI becomes very slow.
Page 291: J05. If I Want To Use Idp Service, Will It Is Enough If I Just Complete The Registration And Turn On Idp
IDP? Please ensure to activate the “protected zone” you would like to protect and configure the action for attack of the “protected zone” in the related IDP profile is others than “none”. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 292: K. Content Filtering Faq
MSN messenger wants to access are not in the trusted website, access would be blocked. If you really want this option enabled, you have to add these websites in the trusted websites list. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 293: L. Device Ha Faq
Backup device is online. And Master can always preempt any Backup. L02. What is the password in Synchronization? If the Backup wants to synchronize the configuration from Master, both Master and Backup device must be set the same password. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 294: M. User Management Faq
M01. What is the difference between user and guest account? Both “user” and “guest” are accounts for network access. But the difference is that “user” account can login ZyWALL 1050 via telnet/SSH to view limited personal information. M02. What is the “re-authentication time” and “lease time”? For security reasons, administrators and accessing users are required to authenticate themselves after a period of time.
Page 295: M05. What Is Aaa
AAA stands for Authentication/Authorization/Accounting. AAA is a model for access control and also a basis for user-aware device. A user-aware device like ZyWALL 1050 could use authentication method to authenticate a user (to prove who the user is) and give the user proper authority (defining what the user is allowed and not allowed to do) by authorization method.
Page 296 ZyWALL 1050 Support Notes Configuration > User/Group > User tab as below. The default lease time and re-authentication time of ldap-users and radius-users are 1440 minutes. See the flow as shown below. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 297: N. Centralized Log Faq
N02. After I have all the required field filled. Why can’t I receive the log mail? E-mail server may reject the event/alert mail delivering due to many reasons. Please enable system debug log and find out why the e-mail server refused to receive the mail. All contents copyright (c) 2006 ZyXEL Communications Corporation.
Page 298: O. Traffic Statistics Faq
O04. Why cannot I see the connections from/to ZyWALL itself? In Session module, only the forwarding traffic will be listed The forwarding traffic means the traffic going through ZyWALL. Therefore, the broadcast traffic in the bridge interface will be listed. All contents copyright (c) 2006 ZyXEL Communications Corporation.

ZyXEL Communications ZYWALL 1050 Support Notes

1 Deploying VPN

2 Security Policy Enforcement

3 Seamless Incorporation

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ZyXEL Communications ZYWALL 1050

Summary of Contents for ZyXEL Communications ZYWALL 1050

Table of Contents