Download Print this page

ZyXEL Communications ZYWALL 1050 - V2.00 EDITION 1 User Manual

Internet security gateway

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

ZyWALL 1050

Internet Security Gateway

User's Guide

Version 2.00

7/2007

Edition 1

DEFAULT LOGIN

LAN Port

1

IP Address http://192.168.1.1

User Name admin

Password

1234

www.zyxel.com

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the ZYWALL 1050 - V2.00 EDITION 1 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZYWALL 1050 - V2.00 EDITION 1

Page 1 ZyWALL 1050 Internet Security Gateway User’s Guide Version 2.00 7/2007 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
Page 3: About This User's Guide
About This User's Guide About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications. Generally, it is organized as follows. • Introduction (ZyWALL, web configurator) • Features (by menu item in the web configurator) •...
Page 4 • Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Page 5: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL 1050 User’s Guide...
Page 7: Safety Warnings
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 8 Safety Warnings ZyWALL 1050 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................49 Introducing the ZyWALL ......................51 Features and Applications ......................55 Web Configurator ........................63 Wizard Setup ..........................73 Configuration Basics ....................... 109 Tutorials ........................... 123 Status ............................153 Registration ..........................161 Update ............................. 167 Network ..........................
Page 10 Contents Overview Content Filter Screens ......................459 Content Filter Reports ......................479 Device HA & Objects ......................487 Device HA ..........................489 User/Group ..........................499 Addresses ..........................511 Services ........................... 515 Schedules ..........................521 AAA Server ..........................525 Authentication Objects ......................535 Certificates ..........................
Page 11 Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................5 Safety Warnings........................7 Contents Overview ........................9 Table of Contents........................11 List of Figures ......................... 29 List of Tables........................... 41 Part I: Introduction................. 49 Chapter 1 Introducing the ZyWALL ......................
Page 12 Table of Contents 3.1 Web Configurator Requirements ..................63 3.2 Web Configurator Access ....................63 3.3 Web Configurator Main Screen ................... 65 3.3.1 Title Bar ........................65 3.3.2 Navigation Panel ......................66 3.3.3 Main Window ......................69 3.3.4 Message Bar ......................69 Chapter 4 Wizard Setup ...........................
Page 13 Table of Contents 5.2 Terminology in the ZyWALL ....................110 5.3 Physical Ports, Interfaces, and Zones ................110 5.3.1 Network Topology Example ..................111 5.4 Feature Configuration Overview ..................112 5.5 Objects ..........................119 5.6 System Management and Maintenance ................121 Chapter 6 Tutorials ..........................123 6.1 Interfaces and Zones ......................
Page 14 Table of Contents 6.7 NAT Loopback ........................149 6.7.1 NAT Loopback Virtual Server ................... 150 6.7.2 NAT Loopback Policy Route ..................151 Chapter 7 Status ............................ 153 7.1 Status Screen ........................153 7.2 VPN Status ........................156 7.3 DHCP Table ........................157 7.4 Port Statistics ........................
Page 15 Table of Contents 10.3 Port Grouping ......................... 190 10.3.1 Port Grouping Overview ..................190 10.3.2 Port Grouping Screen .................... 191 10.4 VLAN Interfaces ......................192 10.4.1 VLAN Overview ...................... 192 10.4.2 VLAN Interfaces Overview ..................194 10.4.3 VLAN Summary Screen ..................194 10.4.4 VLAN Add/Edit ......................
Page 16 Table of Contents 12.2.3 Maximize Bandwidth Usage ................... 223 12.2.4 Reserving Bandwidth for Non-Bandwidth Class Traffic .......... 223 12.3 IP Routing Policy Setup ....................223 12.4 Policy Route Edit ......................225 12.5 IP Static Routes ......................228 12.6 Static Route Summary ..................... 229 12.7 Edit a Static Route ......................
Page 17 Table of Contents 16.2 Virtual Server Example ....................252 16.3 Virtual Server Screens ..................... 252 16.4 Virtual Server Summary Screen ..................252 16.4.1 Virtual Server Add/Edit ..................254 Chapter 17 HTTP Redirect ........................257 17.1 HTTP Redirect Overview ....................257 17.1.1 Web Proxy Server ....................
Page 18 Table of Contents 19.6.1 Edit a Firewall Rule ....................282 19.7 Firewall Rule Configuration Example ................283 Chapter 20 IPSec VPN..........................287 20.1 IPSec VPN Overview ....................... 287 20.1.1 IPSec SA Overview ....................288 20.1.2 Additional Topics for IPSec SA ................290 20.2 VPN Related Configuration .....................
Page 19 Table of Contents 22.2 Remote User Login ......................328 22.3 SSL VPN User Screens ....................330 22.4 Bookmark ........................331 22.5 Logout ..........................331 Chapter 23 SSL User Application Screens .................... 333 23.1 Overview .......................... 333 23.1.1 The Application Screen ..................333 Chapter 24 SSL User File Sharing Screens ...................
Page 20 Table of Contents Part IV: Application Patrol & Anti-X............ 373 Chapter 27 Application Patrol ......................... 375 27.1 Application Patrol Overview ..................... 375 27.2 Classification of Applications ................... 375 27.3 Configurable Application Policies ..................376 27.4 Bandwidth Management ....................376 27.4.1 Connection and Packet Directions ................. 377 27.4.2 Outbound and Inbound Bandwidth Limits ..............
Page 21 Table of Contents 28.3.1 Anti-Virus Policy Edit ....................404 28.4 Anti-Virus Setting ......................406 28.5 Anti-Virus White List Add/Edit ..................408 28.6 Anti-Virus Black List Add/Edit ..................409 28.7 Signature Searching ......................409 Chapter 29 IDP ............................413 29.1 Introduction to IDP ......................413 29.1.1 Host Intrusions .......................
Page 22 Table of Contents 30.3 Configuring ADP General ....................442 30.4 Configuring Anomaly Profile Bindings ................443 30.5 Introducing ADP Profiles ....................444 30.5.1 Base Profiles ......................444 30.6 Profile Summary Screen ....................445 30.7 Creating New Profiles ...................... 446 30.7.1 Procedure To Create a New Profile ................ 446 30.8 Profiles: Traffic Anomaly ....................
Page 23 Table of Contents 33.2 VRRP Group Overview ....................491 33.2.1 Link Monitoring and Remote Management ............492 33.3 Device HA Screens ......................492 33.4 VRRP Group Summary ....................492 33.5 VRRP Group Add/Edit ....................494 33.6 Synchronization Overview ....................496 33.6.1 Synchronization and Subscription Services ............
Page 24 Table of Contents 36.3.1 Service Group Add/Edit ..................518 Chapter 37 Schedules ..........................521 37.1 Schedule Overview ......................521 37.2 Schedule Screens ......................521 37.2.1 Schedule Summary ....................521 37.2.2 One-Time Schedule Add/Edit ................522 37.2.3 Recurring Schedule Add/Edit ................523 Chapter 38 AAA Server ...........................
Page 25 Table of Contents 40.6 My Certificates Screen ....................542 40.6.1 My Certificates Add Screen .................. 543 40.6.2 My Certificate Edit Screen ..................546 40.6.3 My Certificate Import Screen ................. 549 40.7 Trusted Certificates Screen .................... 550 40.7.1 OCSP ........................550 40.8 Trusted Certificates Edit Screen ..................
Page 26 Table of Contents 43.5.5 PTR Record ......................577 43.5.6 Adding an Address/PTR Record ................577 43.5.7 Domain Zone Forwarder ..................578 43.5.8 Adding a Domain Zone Forwarder ................. 578 43.5.9 MX Record ......................579 43.5.10 Adding a MX Record .................... 579 43.5.11 DNS Service Control ..................
Page 27 Table of Contents 44.13 Vantage CNM ....................... 604 44.14 Configuring Vantage CNM ..................... 605 44.15 Language Screen ......................606 Part VII: Maintenance & Troubleshooting.......... 607 Chapter 45 File Manager .......................... 609 45.1 Configuration Files and Shell Scripts Overview .............. 609 45.1.1 Comments in Configuration Files or Shell Scripts ..........
Page 28 Table of Contents 50.1 Getting More Troubleshooting Help ................. 646 50.2 Resetting the ZyWALL ..................... 646 Part VIII: Appendices and Index ............647 Appendix A Product Specifications..................649 Appendix B Log Descriptions ....................655 Appendix C Common Services .................... 695 Appendix D Displaying Anti-Virus Alert Messages in Windows..........
Page 29 List of Figures List of Figures Figure 1 ZyWALL 1050 Front Panel ....................... 51 Figure 2 Managing the ZyWALL: Web Configurator ................52 Figure 3 Applications: VPN Connectivity ....................58 Figure 4 Network Access Mode: Reverse Proxy ................... 59 Figure 5 Network Access Mode: Full Tunnel Mode ................59 Figure 6 Applications: User-Aware Access Control ................
Page 30 List of Figures Figure 39 VPN Advanced Wizard: Step 3 ..................... 102 Figure 40 VPN Advanced Wizard: Step 4 .................... 104 Figure 41 VPN Advanced Wizard: Step 5 ..................... 106 Figure 42 VPN Wizard: Step 6: Advanced .................... 107 Figure 43 Interfaces and Zones: Example .....................112 Figure 44 Network >...
Page 31 List of Figures Figure 82 AppPatrol > http > Edit Default ..................... 142 Figure 83 Object > Schedule > Recurring > add .................. 143 Figure 84 Firewall > LAN > DMZ > Edit ....................143 Figure 85 Firewall > LAN > DMZ > Add ....................144 Figure 86 Trunk Example ........................
Page 32 List of Figures Figure 125 Port Grouping Example: Screen ................... 191 Figure 126 Network > Interface > Port Grouping ................192 Figure 127 Example: Before VLAN ...................... 193 Figure 128 Example: After VLAN ......................193 Figure 129 Network > Interface > VLAN ....................194 Figure 130 Network >...
Page 33 List of Figures Figure 168 H.323 ALG Example ......................263 Figure 169 SIP ALG Example ......................263 Figure 170 VoIP Calls from the WAN with Multiple Outgoing Calls ............264 Figure 171 VoIP with Multiple WAN IP Addresses ................265 Figure 172 Network >...
Page 34 List of Figures Figure 211 VPN > SSL VPN > Connection Monitor ................323 Figure 212 VPN > SSL VPN > Global Setting ..................324 Figure 213 Example Logo Graphic Display ..................325 Figure 214 SSL VPN Client Portal Screen Example ................326 Figure 215 Network Example ......................
Page 35 List of Figures Figure 254 L2TP to ZyWALL Properties > Security > IPSec Settings ..........356 Figure 255 L2TP to ZyWALL Properties: Networking ................356 Figure 256 Connect L2TP to ZyWALL ....................357 Figure 257 ZyWALL-L2TP System Tray Icon ..................357 Figure 258 ZyWALL-L2TP Status: Details ....................
Page 36 List of Figures Figure 297 SIP Any to WAN Bandwidth Management Example ............382 Figure 298 HTTP Any to WAN Bandwidth Management Example ............382 Figure 299 FTP WAN to DMZ Bandwidth Management Example ............383 Figure 300 FTP LAN to DMZ Bandwidth Management Example ............383 Figure 301 AppPatrol >...
Page 37 List of Figures Figure 340 TCP Three-Way Handshake ....................449 Figure 341 SYN Flood .......................... 449 Figure 342 Profiles: Traffic Anomaly ..................... 451 Figure 343 Profiles: Protocol Anomaly ....................456 Figure 344 Anti-X > Content Filter > General ..................460 Figure 345 Anti-X >...
Page 38 List of Figures Figure 383 Object > Schedule ......................522 Figure 384 Object > Schedule > Edit (One Time) ................. 523 Figure 385 Object > Schedule > Edit (Recurring) ................. 524 Figure 386 Example: Directory Service Client and Server ..............526 Figure 387 Basic Directory Structure ....................
Page 39 List of Figures Figure 426 Security Alert Dialog Box (Internet Explorer) ..............587 Figure 427 Security Certificate 1 (Netscape) ..................587 Figure 428 Security Certificate 2 (Netscape) ..................588 Figure 429 Login Screen (Internet Explorer) ..................588 Figure 430 ZyWALL Trusted CA Screen ....................589 Figure 431 CA Certificate Example ......................
Page 40 List of Figures Figure 469 Active Log Summary ......................629 Figure 470 Maintenance > Report > Traffic ..................632 Figure 471 Maintenance > Report > Session ..................635 Figure 472 Maintenance > Report > Anti-Virus: Virus Name .............. 636 Figure 473 Maintenance > Report > Anti-Virus: Source ..............637 Figure 474 Maintenance >...
Page 41 List of Tables List of Tables Table 1 Front Panel LEDs ........................52 Table 2 Managing the ZyWALL: Console Port ..................53 Table 3 Starting and Stopping the ZyWALL ................... 53 Table 4 Packet Flow Key ........................56 Table 5 Title Bar: Web Configurator Icons ..................... 65 Table 6 Navigation Panel Summary ......................
Page 42 List of Tables Table 39 Licensing > Registration ......................163 Table 40 Licensing > Registration > Service ..................164 Table 41 Licensing > Update > IDP/AppPatrol ..................169 Table 42 Licensing > Update > System Protect ................... 171 Table 43 Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interfaces Characteristics ....176 Table 44 Example: Routing Table Entries for Interfaces ..............
Page 43 List of Tables Table 82 Network > HTTP Redirect > Edit ................... 259 Table 83 Network > ALG ........................266 Table 84 Default Firewall Rules ......................275 Table 85 Blocking All LAN to WAN IRC Traffic Example ..............277 Table 86 Limited LAN to WAN IRC Traffic Example 1 ................. 278 Table 87 Limited LAN to WAN IRC Traffic Example 2 .................
Page 44 List of Tables Table 125 Anti-X > Anti-Virus > Setting > Black List Add ..............409 Table 126 Anti-X > Anti-Virus > Signature ................... 410 Table 127 Anti-X > IDP > General ....................... 415 Table 128 Anti-X > IDP > General > Add ..................... 417 Table 129 Base Profiles ........................
Page 45 List of Tables Table 168 Object > Address > Address Group > Add ................514 Table 169 Object > Service > Service ....................516 Table 170 Object > Service > Service > Edit ..................517 Table 171 Object > Service > Service Group ..................518 Table 172 Object >...
Page 46 List of Tables Table 211 System > SNMP ........................602 Table 212 System > Dial-in Mgmt ......................604 Table 213 System > Vantage CNM ...................... 605 Table 214 System > Language ......................606 Table 215 Configuration Files and Shell Scripts in the ZyWALL ............610 Table 216 Maintenance >...
Page 47 List of Tables Table 254 Interface Logs ........................691 Table 255 Account Logs ........................693 Table 256 Port Grouping Logs ......................693 Table 257 Force Authentication Logs ....................694 Table 258 File Manager Logs ......................694 Table 259 Commonly Used Services ....................695 ZyWALL 1050 User’s Guide...
Page 48 List of Tables ZyWALL 1050 User’s Guide...
Page 49: Introduction
Introduction Introducing the ZyWALL (51) Features and Applications (55) Web Configurator (63) Configuration Basics (109) Tutorials (123) Status (153) Registration (161) Update (167)
Page 51: Introducing The Zywall
H A P T E R Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is an Internet Security Gateway designed for Small and Medium Businesses (SMB).
Page 52: Management Overview
Chapter 1 Introducing the ZyWALL The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.4 on page 53).
Page 53: Table 2 Managing The Zywall: Console Port
Chapter 1 Introducing the ZyWALL Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. Console Port You can use the console port to manage the ZyWALL.
Page 54 Chapter 1 Introducing the ZyWALL It is recommended you use the shutdown command before turning off the ZyWALL. When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network resources temporarily while the ZyWALL is applying configuration files or running shell scripts.
Page 55: Features And Applications
H A P T E R Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates.
Page 56: Packet Flow
Chapter 2 Features and Applications Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against network- based intrusions. See Section 29.8.2 on page 423 for a list of attacks that the ZyWALL can protect against.
Page 57: Interface To Interface (To Vpn Tunnel)
Chapter 2 Features and Applications Table 4 Packet Flow Key Application Classifier is the Application Protocol (AP) layer-7 classifier. DNAT Destination NAT Routing Routing includes policy routes, interface routing, static routes and load balancing for example. Firewall (Through ZyWALL) Firewall (To ZyWALL) Intrusion Detection &...
Page 58: Applications
Chapter 2 Features and Applications Ethernet -> VLAN -> Encap -> ALG -> AC -> DNAT-> Routing -> FW -> AC -> IDP -> AV -> AP -> CF -> SNAT -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet 2.3 Applications These are some example applications for your ZyWALL.
Page 59: User-Aware Access Control
Chapter 2 Features and Applications With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access. Figure 4 Network Access Mode: Reverse Proxy 2.3.2.2 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses...
Page 60: Device Ha
Chapter 2 Features and Applications Figure 6 Applications: User-Aware Access Control 2.3.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 7 Applications: Multiple WAN Interfaces 2.3.5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always...
Page 61: Figure 8 Applications: Device Ha
Chapter 2 Features and Applications Figure 8 Applications: Device HA ZyWALL 1050 User’s Guide...
Page 62 Chapter 2 Features and Applications ZyWALL 1050 User’s Guide...
Page 63: Web Configurator
H A P T E R Web Configurator The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the web configurator, you must • Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.7 or later •...
Page 64: Figure 9 Login Screen
Chapter 3 Web Configurator Figure 9 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One- Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login.
Page 65: Web Configurator Main Screen
Chapter 3 Web Configurator Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 64) appears after you click Apply. If you click Ignore, the main screen appears. Figure 11 Main Screen 3.3 Web Configurator Main Screen As illustrated in Figure 11 on page...
Page 66: Navigation Panel
Chapter 3 Web Configurator Table 5 Title Bar: Web Configurator Icons (continued) ICON DESCRIPTION Console: Click this icon to open the console in which you can use the command line interface (CLI). Site Map: Click this icon to display the site map for the web configurator. You can use the site map to go directly to any menu item or any tab in the web configurator.
Page 67 Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK FUNCTION Zone Use this screen to configure zones used to define various policies. DDNS Use this screen to define and manage domain names and DDNS servers. Virtual Use this screen to set up and manage port forwarding rules. Server HTTP Use this screen to set up and manage HTTP redirection rules.
Page 68 Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK FUNCTION General Use this screen to look at and manage ADP bindings. Profile Use this screen to create and manage ADP profiles. Content General Use this screen to create and manage content filter policies. Filter Filtering Profile Use this screen to create and manage the detailed filtering rules for content...
Page 69: Main Window
Chapter 3 Web Configurator Table 6 Navigation Panel Summary (continued) LINK FUNCTION Console Use this screen to set the console speed. Speed Use this screen to configure the DNS server and address records for the ZyWALL. Use this screen to configure HTTP, HTTPS, and general authentication. Use this screen to configure the SSH server and SSH service settings for the ZyWALL.
Page 70: Figure 12 Message Bar
Chapter 3 Web Configurator Figure 12 Message Bar 3.3.4.1 Warning Messages Click the up arrow to view the ZyWALL’s current warning messages. These warning messages display in a popup window, such as the following. Figure 13 Warning Messages Click Refresh Now to update the screen. Close the popup window when you are done with it. Click Clear Warning Message to remove the current warning messages from the window.
Page 71: Figure 14 Cli Messages
Chapter 3 Web Configurator Figure 14 CLI Messages Click Change Display Style to show or hide the index numbers for the commands (the commands are more convenient to copy and paste without the index numbers). Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it.
Page 72 Chapter 3 Web Configurator ZyWALL 1050 User’s Guide...
Page 73: Wizard Setup
H A P T E R Wizard Setup This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User’s Guide for background information. 4.1 Wizard Setup Overview Use the wizards only for initial configuration starting from the default configuration.
Page 74: Figure 15 Wizard Setup Welcome
Chapter 4 Wizard Setup Use VPN SETUP to configure a VPN connection. See Section 4.6 on page Figure 15 Wizard Setup Welcome 4.2 Installation Setup, One ISP The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field.
Page 75: Figure 16 Internet Access: Step 1
Chapter 4 Wizard Setup Figure 16 Internet Access: Step 1 The following table describes the labels in this screen. Table 7 Internet Access: Step 1 LABEL DESCRIPTION ISP Parameters Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Page 76: Ethernet: Auto Ip Address Assignment
Chapter 4 Wizard Setup IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 4.3.1 Ethernet: Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen, the following screen displays.
Page 77: Figure 18 Ethernet Encapsulation: Static
Chapter 4 Wizard Setup Figure 18 Ethernet Encapsulation: Static The following table describes the labels in this screen. Table 8 Ethernet Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Page 78: Figure 19 Ethernet Encapsulation: Static: Finish
Chapter 4 Wizard Setup 4.3.3 Step 2 Internet Access Ethernet You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen. Enter the Internet access information exactly as given to you by your ISP. WAN Interface: This is the number of the interface that will connect with your ISP.
Page 79: Figure 20 Pppoe Encapsulation: Auto
Chapter 4 Wizard Setup You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 89). If you want to do a more detailed registration or manage your account details, click myZyXEL.com. Alternatively, click Close to exit the wizard.
Page 80: Pppoe: Static Ip Address Assignment
Chapter 4 Wizard Setup Table 9 PPPoE Encapsulation: Auto (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignments WAN Interface This displays the identity of the interface you configure to connect with your ISP.
Page 81: Figure 22 Pppoe Encapsulation: Static
Chapter 4 Wizard Setup Figure 22 PPPoE Encapsulation: Static The following table describes the labels in this screen. Table 10 PPPoE Encapsulation: Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. Service Name Type the PPPoE service name given to you by your ISP.
Page 82: Step 2 Internet Access Pppoe
Chapter 4 Wizard Setup Table 10 PPPoE Encapsulation: Static (continued) LABEL DESCRIPTION First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Second DNS Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not Server configure a DNS server, you must know the IP address of a machine in order to access it.
Page 83: Pptp: Auto Ip Address Assignment
Chapter 4 Wizard Setup Figure 23 PPPoE Encapsulation: Static: Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page...
Page 84: Figure 24 Pptp Encapsulation: Auto
Chapter 4 Wizard Setup Figure 24 PPTP Encapsulation: Auto The following table describes the labels in this screen. Table 11 PPTP Encapsulation: Auto LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you are configuring. User Name Type the user name given to you by your ISP.
Page 85: Figure 25 Pptp Encapsulation: Auto: Finish
Chapter 4 Wizard Setup Table 11 PPTP Encapsulation: Auto (continued) LABEL DESCRIPTION Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_ characters, and it can be up to 31 characters long.
Page 86: Pptp: Static Ip Address Assignment
Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 89).
Page 87: Step 2 Internet Access Pptp
Chapter 4 Wizard Setup Table 12 PPTP Encapsulation: Static (continued) LABEL DESCRIPTION User Name Type the user name given to you by your ISP. You can use alphanumeric and - @$./ characters, and it can be up to 31 characters long. Password Type the password associated with the user name above.
Page 88: Figure 27 Pptp Encapsulation: Static: Finish
Chapter 4 Wizard Setup Type the Password associated with the user name. Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.
Page 89: Step 4 Internet Access - Finish
Chapter 4 Wizard Setup 4.3.10 Step 4 Internet Access - Finish You have set up your ZyWALL to access the Internet. If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page...
Page 90: Figure 28 Registration
Chapter 4 Wizard Setup Figure 28 Registration The following table describes the labels in this screen. Table 13 Registration LABEL DESCRIPTION Device Registration If you select existing myZyXEL.com account, only the User Name and Password fields are available. new myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your...
Page 91: Installation Setup, Two Internet Service Providers
Chapter 4 Wizard Setup Table 13 Registration (continued) LABEL DESCRIPTION Close Click Close to exit the wizard. Next Click Next to save your changes back to the ZyWALL and activate the selected services. Figure 29 Registration: Registered Device 4.5 Installation Setup, Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers (ISPs) or two different accounts with the same ISP.
Page 92: Figure 30 Internet Access: Step 1: First Wan Interface
Chapter 4 Wizard Setup Figure 30 Internet Access: Step 1: First WAN Interface After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue. Figure 31 Internet Access: Step 3: Second WAN Interface After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces.
Page 93: Internet Access Wizard Setup Complete
Chapter 4 Wizard Setup Figure 32 Internet Access: Finish You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can click Next and use the following screen to register your ZyWALL and activate service trials (see Section 4.4 on page 89).
Page 94: Vpn Wizards
Chapter 4 Wizard Setup Click VPN SETUP in the Wizard Setup Welcome screen (Figure 15 on page 74) to open the following screen. Use it to select which type of VPN settings you want to configure. Figure 33 VPN Wizard: Wizard Type The following table describes the labels in this screen.
Page 95: Vpn Express Wizard
Chapter 4 Wizard Setup 4.7.1 VPN Express Wizard Click the Express radio button as shown in Figure 33 on page 94 to display the following screen. Figure 34 VPN Express Wizard: Step 2 The following table describes the labels in this screen. Table 15 VPN Express Wizard: Step 2 LABEL DESCRIPTION...
Page 96: Figure 35 Vpn Express Wizard: Step 3
Chapter 4 Wizard Setup Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Secure Gateway: Enter the WAN IP address or domain name of the remote IPSec router (secure gateway).
Page 97: Vpn Express Wizard - Policy Setting
Chapter 4 Wizard Setup 4.8.1 VPN Express Wizard - Policy Setting The Policy Setting specifies which devices can use the VPN tunnel. Local and remote IP addresses must be static. Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet.
Page 98: Vpn Express Wizard - Summary
Chapter 4 Wizard Setup Table 17 VPN Express Wizard: Step 4 (continued) LABEL DESCRIPTION Configuration These commands set the matching VPN connection settings for the remote gateway. for Remote If the remote gateway is a ZLD-based ZyWALL, you can copy and paste this list into Gateway its command line interface in order to configure it for the VPN tunnel.
Page 99: Vpn Express Wizard - Finish
Chapter 4 Wizard Setup If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Alternatively, click Close to exit the wizard. 4.8.3 VPN Express Wizard - Finish Now you can use the VPN tunnel.
Page 100: Figure 38 Vpn Advanced Wizard: Step 2
Chapter 4 Wizard Setup Figure 38 VPN Advanced Wizard: Step 2 The following table describes the labels in this screen. Table 18 VPN Advanced Wizard: Step 2 LABEL DESCRIPTION Remote Gateway Name Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 101: Vpn Advanced Wizard - Remote Gateway
Chapter 4 Wizard Setup Table 18 VPN Advanced Wizard: Step 2 (continued) LABEL DESCRIPTION Certificate Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click Certificate under the Object menu to go to the My Certificates screen where you can view the ZyWALL's list of certificates.
Page 102: Figure 39 Vpn Advanced Wizard: Step 3
Chapter 4 Wizard Setup Figure 39 VPN Advanced Wizard: Step 3 The following table describes the labels in this screen. Table 19 VPN Advanced Wizard: Step 3 LABEL DESCRIPTION Negotiation Mode Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 103: Vpn Advanced Wizard - Phase 1
Chapter 4 Wizard Setup Table 19 VPN Advanced Wizard: Step 3 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 104: Figure 40 Vpn Advanced Wizard: Step 4
Chapter 4 Wizard Setup 4.8.6.1 Phase 2 Setting Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 40 VPN Advanced Wizard: Step 4 The following table describes the labels in this screen. Table 20 VPN Advanced Wizard: Step 4 LABEL DESCRIPTION...
Page 105: Vpn Advanced Wizard - Phase 2
Chapter 4 Wizard Setup Table 20 VPN Advanced Wizard: Step 4 (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 60 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 106: Vpn Advanced Wizard - Summary
Chapter 4 Wizard Setup Figure 41 VPN Advanced Wizard: Step 5 The following table describes the labels in this screen. Table 21 VPN Advanced Wizard: Step 5 LABEL DESCRIPTION Summary Name This is the name of the VPN connection (and VPN gateway). Secure This is the WAN IP address or domain name of the remote IPSec router.
Page 107: Vpn Advanced Wizard - Finish
Chapter 4 Wizard Setup Secure Gateway: IP address or domain name of the peer IPSec device. Pre-Shared Key: VPN tunnel password. Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel. Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel.
Page 108 Chapter 4 Wizard Setup If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP. You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 89).
Page 109: Configuration Basics
H A P T E R Configuration Basics This section provides information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL.
Page 110: Terminology In The Zywall
Chapter 5 Configuration Basics 5.2 Terminology in the ZyWALL This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers. Table 22 ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE / TERM ZYWALL FEATURE / TERM Port forwarding Virtual server...
Page 111: Network Topology Example
Chapter 5 Configuration Basics A physical port is the place to which you connect the cable. As shown above, you do not usually configure physical ports to use various features. You configure interfaces and zones. The ZyWALL supports one-to-one, one-to-many, many-to-one, and many-to-none relationships between physical ports and interfaces.
Page 112: Feature Configuration Overview
Chapter 5 Configuration Basics Figure 43 Interfaces and Zones: Example • The LAN zone contains the ge1 (Gigabit Ethernet 1) interface. This is a protected zone and uses private IP addresses. ge1 uses 192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to 192.168.1.254 range.
Page 113 Chapter 5 Configuration Basics These are other features you should configure before you configure the main screen(s) for this feature. If you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the main PREREQUISITES screen to finish configuring the feature.
Page 114 Chapter 5 Configuration Basics Policy routes WHERE USED Example: See Chapter 6 on page 123. IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and- spoke VPN.
Page 115 Chapter 5 Configuration Basics When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone. Network > Zone MENU ITEM(S) Interfaces, IPSec VPN, SSL VPN PREREQUISITES Firewall, IDP, remote management, anti-virus, ADP, application patrol WHERE USED Example: For example, to create the DMZ-2 zone and add ge5 as in the network topology...
Page 116 Chapter 5 Configuration Basics 7 For the service, select FTP. 8 For the Next Hop fields, select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections. 9 Select the interface that you are using for your WAN connection (ge2 and ge3 are WAN interfaces by default).
Page 117 Chapter 5 Configuration Basics • Leave the Access field set to Allow and the Log field set to No. The ZyWALL checks the firewall rules in order. Make sure each rule is in the correct place in the sequence. Application Patrol Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so).
Page 118 Chapter 5 Configuration Basics Registration, zones PREREQUISITES Use ADP to detect and take action on traffic and protocol anomalies. Anti-X > ADP MENU ITEM(S) Zones PREREQUISITES Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies).
Page 119: Objects
Chapter 5 Configuration Basics 1 Click Network > Virtual Server to configure the virtual server. Add an entry. 2 Name the entry. 3 Select the WAN interface that the FTP traffic is to come in through (in this example, ge2 or ge3.) 4 Specify the public WAN IP address where the ZyWALL will receive the FTP packets.
Page 120: Table 27
Chapter 5 Configuration Basics The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first. Table 27 OBJECT WHERE USED user/group See the User/Group section for details on users and user groups.
Page 121: System Management And Maintenance
Chapter 5 Configuration Basics 5.6 System Management and Maintenance This section introduces some of the management and maintenance features in the ZyWALL. Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed.
Page 122 Chapter 5 Configuration Basics Licensing Update Use these screens to update the ZyWALL’s signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com.
Page 123: Tutorials
H A P T E R Tutorials This chapter provides some examples of using the web configurator to set up features in the ZyWALL. See also Chapter 26 on page 347 for an example of configuring L2TP. 6.1 Interfaces and Zones The following example shows how to use port grouping, Ethernet interfaces, trunks, and zones to set up the following configuration.
Page 124: Figure 44 Network > Interface > Port Grouping, Initial
Chapter 6 Tutorials Figure 44 Network > Interface > Port Grouping, Initial 2 Drag physical port 2 onto representative interface ge1, as shown below. Figure 45 Network > Interface > Port Grouping, Drag-and-Drop 3 Click Apply. 4 Click Status, and look at the Interface Status Summary, shown below. Ethernet interface ge1 has a status of Port Group Up, and Ethernet interface ge2 is disabled and has a Status of Port Group Inactive.
Page 125: Figure 46 Status: Interface Status Summary After Port Grouping
Chapter 6 Tutorials Figure 46 Status: Interface Status Summary After Port Grouping 6.1.2 Set up Ethernet Interfaces This example sets up the Ethernet interfaces as shown below. Table 30 Ethernet Interfaces Example ETHERNET INTERFACE SETTINGS 192.168.1.1/24, DHCP server DHCP client 172.23.37.240/24 10.0.0.1/24, DHCP server You have decided to use the default settings for ge1 and ge3, so it is not necessary to edit these...
Page 126: Figure 48 Network > Interface > Ethernet > Ge4
Chapter 6 Tutorials Figure 48 Network > Interface > Ethernet > ge4 3 Use the default values for the rest of the settings. Click Apply to save these changes and return to the previous screen. Click the Edit icon for ge5, and set up the IP address as shown below.
Page 127: Figure 51 Status > Interface Status Summary, After Ethernet Interface Edits
Chapter 6 Tutorials Figure 51 Status > Interface Status Summary, After Ethernet Interface Edits 6.1.3 WAN Trunk This example sets up trunk WAN_TRUNK with ge3 and ge4. This example uses the default settings for the trunk and shows how to add the interfaces to it. Table 31 Trunk Example ETHERNET TRUNK...
Page 128: Figure 54 Network > Interface > Trunk > Edit > Member
Chapter 6 Tutorials Figure 54 Network > Interface > Trunk > Edit > Member 4 Use the default values for the rest of the settings. Click OK to save these changes and return to the previous screen. 6.1.4 Zones This example sets up the LAN, WAN, and DMZ zones as shown below. Table 32 Zones Example ETHERNET DEFAULT ZONE...
Page 129: Figure 56 Network > Zone > Dmz, Remove Ge4
Chapter 6 Tutorials Figure 56 Network > Zone > DMZ, Remove ge4 3 Select IFACE/ge4 and click the left arrow to remove ge4 from the Member list. Click OK to save these changes and return to the previous screen. 4 Click the Edit icon for WAN. The following screen appears. Figure 57 Network >...
Page 130: Ipsec Vpn
Chapter 6 Tutorials 6.2 IPSec VPN This example is going to show you how to create the VPN tunnel illustrated below. Figure 59 VPN Example 172.23.37.240 220.123.143.10/24 192.168.10.0/24 192.168.1.33 ~ 192.168.1.232 In this example, the ZyWALL is router X (172.23.37.240/24), and the remote IPSec router is router Y (220.123.143.10/24).
Page 131: Figure 60 Vpn > Ipsec Vpn > Vpn Gateway > Add
Chapter 6 Tutorials Figure 60 VPN > IPSec VPN > VPN Gateway > Add 6.2.3 Set up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Object >...
Page 132: Figure 62 Vpn > Ipsec Vpn > Vpn Connection > Add
Chapter 6 Tutorials Figure 62 VPN > IPSec VPN > VPN Connection > add 6.2.4 Set up the Policy Route for the VPN Tunnel You should create a new policy route to use the VPN tunnel. This policy route will only use the existing address objects, so you do not have to create any additional objects first.
Page 133: Figure 64 Network > Routing > Policy Route > Add
Chapter 6 Tutorials Figure 64 Network > Routing > Policy Route > Add Because the new VPN connection has not been assigned to a zone yet, there are no restrictions (for example, firewall) on traffic to or from this VPN connection. You should set up the VPN settings on the remote IPSec router and try to establish the VPN tunnel before continuing.
Page 134: Device Ha
Chapter 6 Tutorials 6.3 Device HA This example is going to show you how to set up device HA as illustrated below. Figure 66 Device HA Example 192.168.1.1 192.168.1.101 In this example, router A is the default gateway for the network and uses IP address 192.168.1.1.
Page 135: Figure 67 Device Ha > Vrrp Group > Add: Ge1
Chapter 6 Tutorials Figure 67 Device HA > VRRP Group > Add: ge1 3 Click Status, and scroll down to the Interface Status Summary. The H/A Status field is Active. Figure 68 Status: Interface Status Summary: Device HA Master Configured 4 Repeat these steps for the interface that is connected to the Internet.
Page 136: Figure 69 Network > Device Ha > Vrrp Group > Add: Ge4
Chapter 6 Tutorials Figure 69 Network > Device HA > VRRP Group > Add: ge4 Once you configure an interface in a VRRP group, you should not configure the interface to have a dynamic IP address. 6.3.3 Set up the Password for Synchronization 1 Click Device HA >...
Page 137: Figure 71 Device Ha > Vrrp Group > Add
Chapter 6 Tutorials 6.3.4 Finish Configuring the Master Finish configuring the master. The backup router will get these updates later, when it synchronizes with the master. 6.3.5 Set up the Ethernet Interfaces on the Backup On the backup ZyWALL, ge1 should be configured exactly the same way it is configured on the master, including the same IP address.
Page 138: Figure 73 Device Ha > Synchronize
Chapter 6 Tutorials 6.3.7 Synchronize the Backup 1 Connect the backup to the same network as the master. 2 Click Device HA > Synchronize. 3 Type the password for synchronization in the Password field. Enter the IP address of the master (on a secure network), and click Sync Now to get the configuration from the master.
Page 139: Figure 74 User/Group > User > Add
Chapter 6 Tutorials 6.4.1 Set up User Accounts Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead.
Page 140: Figure 76 Object > Aaa Server > Radius > Default
Chapter 6 Tutorials 6.4.3 Set up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method.
Page 141: Figure 79 Object > User/Group > Setting > Add (Force User Authentication Policy)
Chapter 6 Tutorials The users will have to log in using the web configurator login screen before they can use HTTP or MSN. Figure 79 Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears.
Page 142: Figure 81 Apppatrol > Http > Edit Default
Chapter 6 Tutorials Figure 81 AppPatrol > http > Edit Default 4 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields.
Page 143: Figure 83 Object > Schedule > Recurring > Add
Chapter 6 Tutorials Figure 83 Object > Schedule > Recurring > add 3 Follow the steps in Section 6.4.4 on page 141 to set up the appropriate policies for MSN in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access.
Page 144: Figure 85 Firewall > Lan > Dmz > Add
Chapter 6 Tutorials Figure 85 Firewall > LAN > DMZ > Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 6.5 Trunks The following example shows how to set up a trunk for two connections (ge2 and ge3) to the Internet.
Page 145: Figure 87 Network > Interface > Ethernet > Edit > Ge2
Chapter 6 Tutorials Figure 87 Network > Interface > Ethernet > Edit > ge2 2 Click the Edit icon for ge3, and enter the available bandwidth (512 kbps) in the Upstream Bandwidth and Downstream Bandwidth fields. Click OK. 6.5.2 Change WAN Trunk Algorithm 1 Click Network >...
Page 146: Nat 1:1 Address Objects
Chapter 6 Tutorials The firewall is enabled, so you also need to create a rule to allow traffic in from the WAN zone. Figure 89 NAT 1:1 Example Network Topology 1.1.1.1 192.168.1.21 6.6.1 NAT 1:1 Address Objects First create two address objects for the private and public IP addresses (LAN_SMTP and WAN_EG) in the Object >...
Page 147: Nat 1:1 Virtual Server
Chapter 6 Tutorials 6.6.2 NAT 1:1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1.1.1.1 at the ZyWALL’s ge3 (WAN) interface, to the LAN SMTP server’s IP address (192.168.1.21).
Page 148: Nat 1:1 Firewall Rule
Chapter 6 Tutorials Figure 94 NAT 1:1 Example Policy Route Source 192.168.1.1 Source 1.1.1.1 SMTP SMTP 192.168.1.21 Click Network > Routing > Policy Route > Add and configure the screen as shown next. Be careful of where you create the route as routes are ordered in descending priority. Figure 95 Create a Policy Route 6.6.4 NAT 1:1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the mail server in the LAN zone.
Page 149: Figure 96 Create A Firewall Rule
Chapter 6 Tutorials Figure 96 Create a Firewall Rule 6.7 NAT Loopback The NAT 1:1 example in Section 6.6 on page 145 maps a public IP address to the private IP address of a LAN SMTP mail server to allow users to access the SMTP mail server from the WAN.
Page 150: Figure 98 Nat Loopback Virtual Server
Chapter 6 Tutorials 6.7.1 NAT Loopback Virtual Server When a LAN user sends SMTP traffic to IP address 1.1.1.1, the traffic comes into the ZyWALL through the ge1 (LAN) interface, thus it does not match the NAT 1:1 mapping’s virtual server rule for SMTP traffic coming to IP 1.1.1.1 from ge3 (the WAN). So you must configure a similar virtual server rule for ge1.
Page 151: Figure 100 Triangle Route
Chapter 6 Tutorials 6.7.2 NAT Loopback Policy Route Without a NAT loopback policy route, the LAN user SMTP traffic goes to the LAN SMTP server has the LAN computer’s IP address as the source. The source address is in the same subnet, so the LAN SMTP server replies directly.
Page 152: Figure 102 Create A Policy Route
Chapter 6 Tutorials Figure 102 Create a Policy Route Now the LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user’s computer. The source in the return traffic matches the original destination address (1.1.1.1) and the LAN user can use the LAN SMTP server.
Page 153: Status
H A P T E R Status This chapter explains the Status screen, which is the screen you see when you first log in to the ZyWALL or when you click Status. 7.1 Status Screen Use this screen to look at the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status.
Page 154: Table 34 Status
Chapter 7 Status The following table describes the labels in this screen. Table 34 Status LABEL DESCRIPTION Device Information System Name This field displays the name used to identify the ZyWALL on any network. Click the icon on the right to open the screen where you can change it. See Section 43.2 on page 569.
Page 155 Chapter 7 Status Table 34 Status (continued) LABEL DESCRIPTION Signature This field displays the version number, date, and time of the current set of Version signatures the ZyWALL is using. Last Update This field displays the last time the ZyWALL received updated signatures. Time Total This field displays the total number of signatures in the current signature version.
Page 156: Vpn Status
Chapter 7 Status Table 34 Status (continued) LABEL DESCRIPTION HA Status This field displays the status of the interface in the virtual router. Active - This interface is the master interface in the virtual router. Stand-By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now.
Page 157: Figure 105 Status > Vpn Status
Chapter 7 Status Figure 105 Status > VPN Status The following table describes the labels in this screen. Table 35 Status > VPN Status LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.
Page 158: Figure 106 Status > Dhcp Table
Chapter 7 Status Figure 106 Status > DHCP Table The following table describes the labels in this screen. Table 36 Status > DHCP Table LABEL DESCRIPTION Interface Select for which interface you want to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
Page 159: Figure 107 Status > Port Statistics
Chapter 7 Status Figure 107 Status > Port Statistics The following table describes the labels in this screen. Table 37 Status > Port Statistics LABEL DESCRIPTION Port This field displays the physical port number. status This field displays the current status of the physical port. Down - The physical port is not connected.
Page 160: Figure 108 Status > Current Users
Chapter 7 Status Figure 108 Status > Current Users The following table describes the labels in this screen. Table 38 Status > Current Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL.
Page 161: Registration
This chapter shows you how to register for the ZyWALL’s subscription services. 8.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 162: Figure 109 Licensing > Registration
• You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/AppPatrol service. You can also check for new signatures at http://mysecurity.zyxel.com. See the respective chapters for more information about these features. To update the signature file or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com...
Page 163: Table 39 Licensing > Registration
Chapter 8 Registration The following table describes the labels in this screen. Table 39 Licensing > Registration LABEL DESCRIPTION General Setup If you select existing myZyXEL.com account, only the User Name and Password fields are available. new myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Page 164: Figure 110 Licensing > Registration: Registered Device
Chapter 8 Registration Figure 110 Licensing > Registration: Registered Device 8.3 Service After you activate a trial, you can also use this screen to register and enter your iCard’s PIN number (license key). Click Licensing > Registration > Service to open the screen as shown next.
Page 165 Chapter 8 Registration Table 40 Licensing > Registration > Service (continued) LABEL DESCRIPTION Expiration date This field displays the date your service expires. You can continue to use IDP/AppPatrol or Anti-Virus after the registration expires, you just won’t receive updated signatures. Count This field displays how many VPN tunnels you can use with your current license.
Page 166 Chapter 8 Registration ZyWALL 1050 User’s Guide...
Page 167: Update
H A P T E R Update This chapter shows you how to update the ZyWALL’s signature packages. 9.0.1 Updating Anti-virus Signatures When scheduling signature updates, choose a day and time when your network is least busy to minimize disruption to your network. Your custom signature configurations are not over- written when you download new signatures.
Page 168: Updating Idp And Application Patrol Signatures
Current Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number gets larger as new signatures are added, so you should refer to this number regularly.
Page 169: Figure 113 Licensing > Update > Idp/Apppatrol
Chapter 9 Update Figure 113 Licensing > Update > IDP/AppPatrol The following table describes the fields in this screen. Table 41 Licensing > Update > IDP/AppPatrol LABEL DESCRIPTION Signature The following fields display information on the current signature set that the Information ZyWALL is using.
Page 170: Updating System Protect Signatures
Chapter 9 Update Figure 114 Downloading IDP Signatures Figure 115 Successful IDP Signature Download 9.2 Updating System Protect Signatures The ZyWALL comes with signatures that the ZyWALL uses to protect itself from intrusions. These signatures are continually updated as new attack types evolve. These system protect signature updates are free and can be downloaded to the ZyWALL periodically.
Page 171: Figure 116 Licensing > Update > System Protect
Chapter 9 Update Figure 116 Licensing > Update > System Protect The following table describes the fields in this screen. Table 42 Licensing > Update > System Protect LABEL DESCRIPTION Signature The following fields display information on the current signature set that the Information ZyWALL is using.
Page 172: Figure 117 Downloading System Protect Signatures
Chapter 9 Update Figure 117 Downloading System Protect Signatures Figure 118 Successful System Protect Signature Download ZyWALL 1050 User’s Guide...
Page 173: Network
Network Interface (175) Trunks (215) Policy and Static Routes (221) Routing Protocols (231) Zones (241) DDNS (245) Virtual Servers (251) HTTP Redirect (257) ALG (261)
Page 175: Interface
H A P T E R Interface See the Interface section in the Configuration Overview chapter for related information on these screens. 10.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. •...
Page 176: Ip Address Assignment
Chapter 10 Interface • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port. •...
Page 177: Figure 119 Example: Entry In The Routing Table Derived From Interfaces
Chapter 10 Interface Figure 119 Example: Entry in the Routing Table Derived from Interfaces Table 44 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 200.200.200.1/24 For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1.
Page 178: Dhcp Settings
Chapter 10 Interface 10.1.3 Interface Parameters The ZyWALL restricts the amount of traffic into and out of the ZyWALL through each interface. • Upstream bandwidth is the amount of traffic from the ZyWALL through the interface to the network. • Downstream bandwidth is the amount of traffic from the network through the interface into the ZyWALL.
Page 179: Ping Check Settings
Chapter 10 Interface Table 46 Example: Assigning IP Addresses from a Pool (continued) START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 99.99.1.1 1023 99.99.1.1 - 99.99.4.255 120.120.120.100 120.120.120.100 - 120.120.120.199 The ZyWALL cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface’s IP address and subnet mask.
Page 180: Relationships Between Interfaces
Chapter 10 Interface 10.1.6 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table. Table 47 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE...
Page 181: Interface Summary Screen
Chapter 10 Interface In addition, you use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management.
Page 182: Figure 120 Network > Interface > Interface Summary
Chapter 10 Interface Figure 120 Network > Interface > Interface Summary Each field is described in the following table. Table 48 Network > Interface > Interface Summary LABEL DESCRIPTION Interface If an Ethernet interface does not have any physical ports associated with it, its entry Summary is displayed in light gray text.
Page 183 Chapter 10 Interface Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For port groups: Inactive - The port group is disabled. Port Group Down - The port group is enabled but not connected.
Page 184: Figure 121 Network > Interface > Ethernet
Chapter 10 Interface Table 48 Network > Interface > Interface Summary (continued) LABEL DESCRIPTION Interface This table provides packet statistics for each interface. Statistics Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface.
Page 185: Table 49 Network > Interface > Ethernet
Chapter 10 Interface Each field is described in the following table. Table 49 Network > Interface > Ethernet LABEL DESCRIPTION This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the interface. IP Address This field displays the current IP address of the interface.
Page 186: Figure 122 Network > Interface > Ethernet > Edit
Chapter 10 Interface Figure 122 Network > Interface > Ethernet > Edit ZyWALL 1050 User’s Guide...
Page 187: Table 50 Network > Interface > Ethernet > Edit
Chapter 10 Interface Each field is described in the table below. Table 50 Network > Interface > Ethernet > Edit LABEL DESCRIPTION Ethernet Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only.
Page 188 Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information.
Page 189 Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. IP Pool Start Enter the IP address from which the ZyWALL begins allocating IP addresses.
Page 190: Figure 123 Network > Interface > Ethernet > Edit > Edit Static Dhcp Table
Chapter 10 Interface Table 50 Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Edit static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. table The Static DHCP screen appears. Figure 123 Network > Interface > Ethernet > Edit > Edit static DHCP table The ZyWALL checks this table when it assigns IP addresses.
Page 191: Figure 124 Port Grouping Example: Network
Chapter 10 Interface Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics: •...
Page 192: Figure 126 Network > Interface > Port Grouping
Chapter 10 Interface Figure 126 Network > Interface > Port Grouping Each section in this screen is described below. Table 51 Network > Interface > Port Grouping LABEL DESCRIPTION Representative These are Ethernet interfaces. To add a physical port to a representative Interface (ge1, ge2, interface, drag the physical port onto the corresponding representative ge3, ge4, ge5)
Page 193: Figure 127 Example: Before Vlan
Chapter 10 Interface Figure 127 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. Figure 128 Example: After VLAN Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways.
Page 194: Figure 129 Network > Interface > Vlan
Chapter 10 Interface • Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.
Page 195: Vlan Add/Edit
Chapter 10 Interface Table 52 Network > Interface > VLAN (continued) LABEL DESCRIPTION Port/VID For VLAN interfaces, this field displays • the Ethernet interface on which the VLAN interface is created • the VLAN ID For virtual interfaces, this field is blank. IP Address This field displays the current IP address of the interface.
Page 196: Figure 130 Network > Interface > Vlan > Edit
Chapter 10 Interface Figure 130 Network > Interface > VLAN > Edit ZyWALL 1050 User’s Guide...
Page 197: Table 53 Network > Interface > Vlan > Edit
Chapter 10 Interface Each field is explained in the following table. Table 53 Network > Interface > VLAN > Edit LABEL DESCRIPTION VLAN Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you are editing the interface.
Page 198 Chapter 10 Interface Table 53 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network.
Page 199: Figure 131 Network > Interface > Edit > Edit Static Dhcp Table
Chapter 10 Interface Table 53 Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Edit static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. table The Static DHCP screen appears. Figure 131 Network > Interface > Edit > Edit static DHCP table The ZyWALL checks this table when it assigns IP addresses.
Page 200: Bridge Overview
Chapter 10 Interface 10.5.1 Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
Page 201: Figure 132 Network > Interface > Bridge
Chapter 10 Interface 10.5.2 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the ZyWALL’s interface for the resulting network. A bridge interface may consist of the following members: •...
Page 202: Bridge Add/Edit
Chapter 10 Interface Table 57 Network > Interface > Bridge (continued) LABEL DESCRIPTION IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet. This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP).
Page 203: Figure 133 Network > Interface > Bridge > Edit
Chapter 10 Interface Figure 133 Network > Interface > Bridge > Edit ZyWALL 1050 User’s Guide...
Page 204: Table 58 Network > Interface > Bridge > Edit
Chapter 10 Interface In this example, you are creating a new bridge. If you are editing a bridge, the Interface Name field is read-only. Each field is described in the table below. Table 58 Network > Interface > Bridge > Edit LABEL DESCRIPTION Bridge Interface...
Page 205 Chapter 10 Interface Table 58 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments.
Page 206: Figure 134 Network > Interface > Edit > Edit Static Dhcp Table
Chapter 10 Interface Table 58 Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Edit static DHCP Click this if you want the ZyWALL to assign static IP addresses to computers. table The Static DHCP screen appears. Figure 134 Network > Interface > Edit > Edit static DHCP table The ZyWALL checks this table when it assigns IP addresses.
Page 207: Pppoe/Pptp Interfaces Overview
Chapter 10 Interface PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services. This makes it easier for the service provider to offer the service •...
Page 208: Figure 136 Network > Interface > Pppoe/Pptp
Chapter 10 Interface 10.6.3 PPPoE/PPTP Interface Summary You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lists every PPPoE/PPTP interface. To access this screen, click Network > Interface > PPPoE/PPTP. Figure 136 Network > Interface > PPPoE/PPTP Each field is described in the table below.
Page 209: Figure 137 Network > Interface > Pppoe/Pptp > Edit
Chapter 10 Interface 10.6.4 PPPoE/PPTP Interface Add/Edit You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Add icon or an Edit icon in the PPPoE/PPTP Interface Summary screen. Figure 137 Network >...
Page 210: Table 60 Network > Interface > Pppoe/Pptp > Edit
Chapter 10 Interface Each field is explained in the following table. Table 60 Network > Interface > PPPoE/PPTP > Edit LABEL DESCRIPTION PPP Interface Properties Enable Select this to enable this interface. Clear this to disable this interface. Interface Name This field is read-only if you are editing the interface.
Page 211: Auxiliary Interface
Chapter 10 Interface Table 60 Network > Interface > PPPoE/PPTP > Edit (continued) LABEL DESCRIPTION Ping Check The interface can regularly ping the gateway you specified to make sure it is still available. You specify how often the interface pings the gateway, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 212: Figure 138 Network > Interface > Auxiliary
Chapter 10 Interface Figure 138 Network > Interface > Auxiliary Each field is described in the table below. Table 61 Network > Interface > Auxiliary LABEL DESCRIPTION Auxiliary Interface Properties Enable Select this to turn on the auxiliary dial up interface. The interface does not dial out, however, unless it is part of a trunk and load-balancing conditions are satisfied.
Page 213: Virtual Interfaces
Chapter 10 Interface Table 61 Network > Interface > Auxiliary (continued) LABEL DESCRIPTION Authentication Select the authentication protocol to use for outgoing calls. Choices are: Type CHAP/PAP - Your ZyWALL accepts either CHAP or PAP, as requested by the computer you are dialing. CHAP - Your ZyWALL accepts CHAP only.
Page 214: Figure 139 Network > Interface > Add
Chapter 10 Interface Figure 139 Network > Interface > Add Each field is described in the table below. Table 62 Network > Interface > Add LABEL DESCRIPTION Virtual Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Page 215: Trunks Overview
H A P T E R Trunks This chapter shows you how to configure trunks on your ZyWALL. See the Trunks section the Configuration Overview chapter for related information on these screens. 11.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability.
Page 216: Load Balancing Algorithms
Chapter 11 Trunks Maybe you have two connections with different bandwidths. For jitter-sensitive traffic (like video for example), you could set up a trunk group that uses spillover or weighted round robin load balancing to make sure that most of the jitter-sensitive traffic goes through the higher- bandwidth interface.
Page 217: Weighted Round Robin
Chapter 11 Trunks 11.4.2 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list.
Page 218: Trunk Summary
Chapter 11 Trunks Figure 142 Spillover Algorithm Example 11.5 Trunk Summary Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 143 Network > Interface > Trunk The following table describes the items in this screen.
Page 219: Figure 144 Network > Interface > Trunk > Edit
Chapter 11 Trunks Figure 144 Network > Interface > Trunk > Edit Each field is described in the table below. Table 65 Network > Interface > Trunk > Edit LABEL DESCRIPTION Name Enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 220 Chapter 11 Trunks Table 65 Network > Interface > Trunk > Edit (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface.
Page 221: Policy And Static Routes
H A P T E R Policy and Static Routes This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. See the Policy Routes section in the Configuration Overview chapter for related information on the policy route screens. 12.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 222: Nat And Snat
Chapter 12 Policy and Static Routes • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. 12.2.1 NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network.
Page 223: Maximize Bandwidth Usage
Chapter 12 Policy and Static Routes Figure 145 Trigger Port Forwarding Example 12.2.3 Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.
Page 224: Figure 146 Network > Routing > Policy Route
Chapter 12 Policy and Static Routes Figure 146 Network > Routing > Policy Route The following table describes the labels in this screen. Table 66 Network > Routing > Policy Route LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Page 225: Policy Route Edit
Chapter 12 Policy and Static Routes Table 66 Network > Routing > Policy Route (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click the Active icon to activate or deactivate the policy.
Page 226: Figure 147 Network > Routing > Policy Route > Edit
Chapter 12 Policy and Static Routes Figure 147 Network > Routing > Policy Route > Edit The following table describes the labels in this screen. Table 67 Network > Routing > Policy Route > Edit LABEL DESCRIPTION Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Page 227 Chapter 12 Policy and Static Routes Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Type Select Auto to have the ZyWALL use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field.
Page 228: Ip Static Routes
Chapter 12 Policy and Static Routes Table 67 Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Bandwidth This allows you to allocate bandwidth to a route and prioritize traffic that matches Shaping the routing policy. You must also enable bandwidth management in the main policy route screen (Network >...
Page 229: Figure 149 Network > Routing > Static Route
Chapter 12 Policy and Static Routes 12.6 Static Route Summary Click Network > Routing > Static Route to open the Static Route screen. Figure 149 Network > Routing > Static Route The following table describes the labels in this screen. Table 68 Network >...
Page 230: Table 69 Network > Routing > Static Route > Edit
Chapter 12 Policy and Static Routes The following table describes the labels in this screen. Table 69 Network > Routing > Static Route > Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Page 231: Routing Protocols
H A P T E R Routing Protocols This chapter describes how to set up RIP and OSPF routing protocol settings for the ZyWALL. First, it provides an overview of RIP and OSPF, and, then, it introduces the RIP and OSPF screens used to configure routing protocols.
Page 232: Authentication Types
Chapter 13 Routing Protocols RIP uses UDP port 520. 13.1.2 Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message.
Page 233: Figure 151 Network > Routing > Rip
Chapter 13 Routing Protocols Figure 151 Network > Routing > RIP The following table describes the labels in this screen. Table 71 Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. Choices are: None, Text, and MD5.
Page 234: Ospf Areas
Chapter 13 Routing Protocols • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router, more quickly. • OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.
Page 235: Ospf Routers
Chapter 13 Routing Protocols This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y.
Page 236: Virtual Links
Chapter 13 Routing Protocols Figure 153 OSPF: Types of Routers In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR).
Page 237: Figure 155 Network > Routing > Ospf
Chapter 13 Routing Protocols 2 Set up the OSPF areas. 3 Configure the appropriate interfaces. See Section 10.2.1 on page 180. 4 Set up virtual links, as needed. 13.4 OSPF Screens The OSPF screens are used to specify the ID the ZyWALL uses in the OSPF AS and to maintain the policies for redistribution.
Page 238: Ospf Area Add/Edit
Chapter 13 Routing Protocols Table 73 Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Active Select this check box to advertise routes that were learned from the indicated source. • If you select this for RIP, the ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas.
Page 239: Figure 156 Network > Routing > Ospf > Edit
Chapter 13 Routing Protocols Figure 156 Network > Routing > OSPF > Edit The following table describes the labels in this screen. Table 74 Network > Routing > OSPF > Edit LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type This field displays the type of area.
Page 240 Chapter 13 Routing Protocols Table 74 Network > Routing > OSPF > Edit (continued) LABEL DESCRIPTION Text This field is available if the Authentication is Text. Type the password for text Authentication authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long.
Page 241: Zones Overview
H A P T E R Zones Set up zones to configure network security and network policies in the ZyWALL. See the Zones section in the Configuration Overview chapter for related information on these screens. 14.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 242: Figure 158 Network > Zone
Chapter 14 Zones Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, Figure 157 on page 241, traffic between VLAN 2 and the Ethernet is intra-zone traffic. In each zone, you can either allow or prohibit all intra-zone traffic. For example, in Figure 157 on page 241, you might allow intra-zone traffic in the LAN2 zone but prohibit it in the WAN...
Page 243: Figure 159 Network > Zone > Edit
Chapter 14 Zones 14.3 Zone Add/Edit The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 242), and click either the Add icon or an Edit icon.
Page 244 Chapter 14 Zones ZyWALL 1050 User’s Guide...
Page 245: Ddns
H A P T E R DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. First, it provides an overview, and then it introduces the screens. See the DDNS section in the Configuration Overview chapter for related information on these screens. 15.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa.
Page 246: High Availability (Ha)
Chapter 15 DDNS 15.1.2 High Availability (HA) The DDNS server maps a domain name to the IP address of one of the ZyWALL’s WAN ports. If that WAN port loses its connection, high availability allows the ZyWALL to substitute the HA port’s IP address in the domain name mapping. 15.1.3 Mail Exchanger DynDNS can route e-mail for your domain name to a specified mail server.
Page 247: Figure 160 Network > Ddns
Chapter 15 DDNS 15.3 DDNS Summary The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. To access this screen, login to the web configurator.
Page 248: Figure 161 Network > Ddns > Edit
Chapter 15 DDNS 15.4 Dynamic DNS Add/Edit The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. To access this screen, click Network > DDNS, and click either the Add icon or an Edit icon.
Page 249 Chapter 15 DDNS Table 78 Network > DDNS > Edit (continued) LABEL DESCRIPTION HA Interface This field is only available when the IP Address Update Policy is Interface. Select the alternative WAN interface to map to the domain name when the WAN interface is not available.
Page 250 Chapter 15 DDNS ZyWALL 1050 User’s Guide...
Page 251: Virtual Servers
H A P T E R Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. First, it provides an overview of virtual servers, and, then, it introduces the virtual server screens and commands. See the Virtual Server (Port Forwarding) section in the Configuration Overview chapter for related information on these screens.
Page 252: Virtual Server Example
Chapter 16 Virtual Servers The ZyWALL checks virtual servers before it applies to-ZyWALL firewall rules, so to- ZyWALL firewall rules do not apply to traffic that is forwarded by virtual servers. The ZyWALL still checks regular (through-ZyWALL) firewall rules according to the source IP address and mapped IP address.
Page 253: Figure 163 Network > Virtual Server
Chapter 16 Virtual Servers Figure 163 Network > Virtual Server The following table describes the labels in this screen. See Section 16.4.1 on page 254 below for more information as well. Table 79 Network > Virtual Server LABEL DESCRIPTION Total Virtual This is how many virtual server entries are configured in the ZyWALL.
Page 254: Figure 164 Network > Virtual Server > Edit
Chapter 16 Virtual Servers 16.4.1 Virtual Server Add/Edit The Virtual Server Add/Edit screen lets you create new virtual servers and edit existing ones. To open this window, open the Virtual Server summary screen. (See Section 16.4 on page 252.) Then, click on an Add icon or Edit icon to open the following screen. If the virtual server will send traffic to the clients, you need to create a corresponding policy route.
Page 255 Chapter 16 Virtual Servers Table 80 Network > Virtual Server > Edit (continued) LABEL DESCRIPTION User Defined This field is available if Original IP is User Defined. Type the destination IP address that this virtual server supports. Mapped IP Type the translated destination IP address, if this virtual server forwards the packet. Mapping Type Use the drop-down list box to select how many original destination ports this virtual server supports for the selected destination IP address (Original IP).
Page 256 Chapter 16 Virtual Servers ZyWALL 1050 User’s Guide...
Page 257: Http Redirect
H A P T E R HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. See the HTTP Redirect section in the Configuration Overview chapter for related information on these screens. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server.
Page 258: Configuring Http Redirect
Chapter 17 HTTP Redirect Figure 165 HTTP Redirect Example In the example, proxy server A is connected to ge4 in the DMZ zone. When a client connected to ge1 wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Page 259: Figure 166 Network > Http Redirect
Chapter 17 HTTP Redirect Figure 166 Network > HTTP Redirect The following table describes the labels in this screen. Table 81 Network > HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name (up to 31 printable characters) of a rule. Interface This is the interface on which the request must be received.
Page 260 Chapter 17 HTTP Redirect Table 82 Network > HTTP Redirect > Edit (continued) LABEL DESCRIPTION Interface Select the interface on which the HTTP request must be received for the ZyWALL to forward it to the specified proxy server. Proxy Server Enter the IP address of the proxy server.
Page 261: Alg
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. See the ALG section in the Configuration Overview chapter for related information on these screens. 18.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 262 Chapter 18 ALG You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface.
Page 263: Figure 168 H.323 Alg Example
Chapter 18 ALG Figure 168 H.323 ALG Example 18.1.6 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Page 264: Peer-To-Peer Calls And The Zywall
Chapter 18 ALG 18.1.6.2 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout, the ZyWALL SIP ALG deletes the signaling session after the timeout period.
Page 265: Alg Screen
Chapter 18 ALG For example, you configure firewall and virtual server rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2.
Page 266: Table 83 Network > Alg
Chapter 18 ALG The following table describes the labels in this screen. Table 83 Network > ALG LABEL DESCRIPTION Enable SIP SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals Transformations over Internet Protocol. Turn on the SIP ALG to allow SIP sessions to pass through the ZyWALL.
Page 267: Wan To Lan Sip Peer-To-Peer Calls Example
Chapter 18 ALG 18.4 WAN to LAN SIP Peer-to-peer Calls Example This example shows how to configure firewall and virtual server (port forwarding) rules to allow H.323 calls to come in through WAN IP address 10.0.0.8 to computer A at IP address 192.168.1.56 on the LAN.
Page 268: Figure 175 Firewall > Wan To Lan
Chapter 18 ALG Figure 175 Firewall > WAN to LAN 5 Configure the screen as follows. For the Destination, select Create Object. Figure 176 Firewall > WAN > LAN > Add 6 Configure an address object for the ZyWALL’s 10.0.0.8 WAN IP address as follows and click OK.
Page 269: Figure 178 Firewall > Wan > Lan > Add
Chapter 18 ALG Figure 178 Firewall > WAN > LAN > Add ZyWALL 1050 User’s Guide...
Page 270 Chapter 18 ALG ZyWALL 1050 User’s Guide...
Page 271: Firewall And Vpn
Firewall and VPN Firewall (273) IPSec VPN (287) SSL VPN (319) SSL User Screens (327) SSL User Application Screens (333) SSL User File Sharing Screens (335) L2TP VPN (341) L2TP VPN Example (347)
Page 273: Firewall
H A P T E R Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. See the Firewall section in the Configuration Overview chapter for related information on these screens. 19.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall.
Page 274: Firewall Rules
Chapter 19 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 275: Table 84 Default Firewall Rules
Chapter 19 Firewall The following table explains the default firewall rules for traffic going through the ZyWALL. Section 19.2.1.2 on page 275 for details on the firewall rules for traffic going to the ZyWALL itself. Table 84 Default Firewall Rules FROM ZONE TO ZONE STATEFUL PACKET INSPECTION From LAN to LAN...
Page 276: Firewall And Vpn Traffic
Chapter 19 Firewall The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL. You can configure a to-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which is not in a zone. 19.2.2 Firewall and VPN Traffic After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic.
Page 277: Figure 181 Limited Lan To Wan Irc Traffic Example
Chapter 19 Firewall Your firewall would have the following configuration. Table 85 Blocking All LAN to WAN IRC Traffic Example DESTINATIO USER SOURCE SCHEDULE SERVICE ACTION Deny Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
Page 278: Alerts
Chapter 19 Firewall Your firewall would have the following configuration. Table 86 Limited LAN to WAN IRC Traffic Example 1 DESTINATIO USER SOURCE SCHEDULE SERVICE ACTION 192.168.1.7 Allow Deny Default Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN.
Page 279: Virtual Interfaces And Asymmetrical Routes
Chapter 19 Firewall You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection). Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.
Page 280: Figure 183 Firewall
Chapter 19 Firewall Figure 183 Firewall The following table describes the labels in this screen. Table 88 Firewall LABEL DESCRIPTION Global Setting Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
Page 281 Chapter 19 Firewall Table 88 Firewall (continued) LABEL DESCRIPTION Maximum Use this field to set the highest number of sessions that the ZyWALL will permit a session per host computer with the same IP address to have at one time. When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions.
Page 282: Figure 184 Firewall > Edit
Chapter 19 Firewall Table 88 Firewall (continued) LABEL DESCRIPTION Add icon Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the rule is enabled or not. Click it to activate or deactivate the rule.
Page 283: Firewall Rule Configuration Example
Chapter 19 Firewall Table 89 Firewall > Edit (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies or select Create Object to configure a new one (see Chapter 37 on page 521 for details).
Page 284: Figure 185 Firewall Example: Select The Traveling Direction Of Traffic
Chapter 19 Firewall Figure 185 Firewall Example: Select the Traveling Direction of Traffic 2 Select From WAN and To LAN and enter a description. Select Create Object in the Destination drop-down list box. Figure 186 Firewall Example: Edit a Firewall Rule 1 3 The screen for configuring an address object opens.
Page 285: Figure 187 Firewall Example: Create An Address Object
Chapter 19 Firewall Figure 187 Firewall Example: Create an Address Object 4 Select Create Object in the Service drop-down list box. 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 188 Firewall Example: Create a Service Object 6 Enter the name of the firewall rule.
Page 286: Figure 190 Firewall Example: Myservice Example Rule In Summary
Chapter 19 Firewall Figure 190 Firewall Example: MyService Example Rule in Summary ZyWALL 1050 User’s Guide...
Page 287: Ipsec Vpn Overview
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. See the IPSec VPN section in the Configuration Overview chapter for related information on these screens. 20.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
Page 288: Ipsec Sa Overview
Chapter 20 IPSec VPN Figure 192 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 289: Figure 193 Vpn: Transport And Tunnel Mode Encapsulation
Chapter 20 IPSec VPN Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 20.1.1.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Page 290: Additional Topics For Ipsec Sa
Chapter 20 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 291: Figure 194 Vpn Example: Nat For Inbound And Outbound Traffic
Chapter 20 IPSec VPN • Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Page 292: Vpn Related Configuration
Chapter 20 IPSec VPN • Destination - the original destination address; the local network (A). • SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address. 20.1.2.2.3 Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ZyWALL to forward some packets from the remote network to a specific computer in the local network.
Page 293: Figure 195 Vpn > Ipsec Vpn > Vpn Connection
Chapter 20 IPSec VPN • Make sure the to-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the to-ZyWALL firewall rules allow UDP port 4500 too.
Page 294: Table 90 Vpn > Ipsec Vpn > Vpn Connection
Chapter 20 IPSec VPN Each field is discussed in the following table. See Section 20.3.3 on page 298 Section 20.3.2 on page 294 for more information. Table 90 VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific connection. Name This field displays the name of the IPSec SA.
Page 295: Figure 196 Vpn > Ipsec Vpn > Vpn Connection > Edit (Ike)
Chapter 20 IPSec VPN Figure 196 VPN > IPSec VPN > VPN Connection > Edit (IKE) Each field is described in the following table. Table 91 VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION VPN Connection Connection Type the name used to identify this IPSec SA.
Page 296 Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption.
Page 297 Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Policy Select this if you want the ZyWALL to drop traffic whose source and destination Enforcement IP addresses do not match the local and remote policy. This makes the IPSec SA more secure.
Page 298: Vpn Connection Add/Edit Manual Key
Chapter 20 IPSec VPN Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION SNAT Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address that hides the original source address.
Page 299: Figure 197 Vpn > Ipsec Vpn > Vpn Connection > Manual Key > Edit
Chapter 20 IPSec VPN Figure 197 VPN > IPSec VPN > VPN Connection > Manual Key > Edit The following table describes the labels in this screen. Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit LABEL DESCRIPTION VPN Connection...
Page 300 Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Encapsulation Select which type of encapsulation the IPSec SA uses. Choices are Mode Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data.
Page 301 Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Authentication Enter the authentication key, which depends on the authentication algorithm. MD5 - type a unique key 16-20 characters long SHA1 - type a unique key 20 characters long You can use any alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
Page 302: Vpn Gateway Screens
Chapter 20 IPSec VPN Table 92 VPN > IPSec VPN > VPN Connection > Manual Key > Edit (continued) LABEL DESCRIPTION Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network.
Page 303: Figure 198 Ike Sa: Main Negotiation Mode, Steps 1 - 2: Ike Sa Proposal
Chapter 20 IPSec VPN It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Both routers must use the same negotiation mode. These modes are discussed in more detail in Section 20.4.2.1 on page 306.
Page 304: Figure 199 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
Chapter 20 IPSec VPN Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest. •...
Page 305: Figure 200 Ike Sa: Main Negotiation Mode, Steps 5 - 6: Authentication
Chapter 20 IPSec VPN In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps. Figure 200 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key...
Page 306: Additional Topics For Ike Sa
Chapter 20 IPSec VPN For example, in Table 93 on page 306, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in Table 94 on page 306, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA. Table 93 VPN Example: Matching ID Type and Content ZYWALL REMOTE IPSEC ROUTER...
Page 307: Figure 201 Vpn/Nat Example
Chapter 20 IPSec VPN 20.4.2.2 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 201 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information.
Page 308: Figure 202 Vpn > Ipsec Vpn > Vpn Gateway
Chapter 20 IPSec VPN • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. You must set up the certificates for the ZyWALL and remote IPSec router first.
Page 309: Vpn Gateway Add/Edit
Chapter 20 IPSec VPN Table 95 VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Add icon This column provides icons to add, edit, and remove VPN gateways, as well as to activate / deactivate VPN gateways. To add a VPN gateway, click the Add icon at the top of the column. The VPN Gateway Add/Edit screen appears.
Page 310: Figure 203 Vpn > Ipsec Vpn > Vpn Gateway > Edit
Chapter 20 IPSec VPN Figure 203 VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 96 VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION VPN Gateway VPN Gateway Type the name used to identify this VPN gateway.
Page 311 Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption Select which key size and encryption algorithm to use in the IKE SA.
Page 312 Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Secure Type the IP address or the domain name of the remote IPSec router. Set this field Gateway to 0.0.0.0 if the remote IPSec router has a dynamic IP address. You can provide Address a second IP address or domain name.
Page 313 Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by an e-mail address Any - the ZyWALL does not check the identity of the remote IPSec router...
Page 314: Vpn Concentrator
Chapter 20 IPSec VPN Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Password This field is required if the ZyWALL is in Client Mode for extended authentication. Type the password the ZyWALL sends to the remote IPSec router. The password can be 1-31 ASCII characters.
Page 315: Figure 205 Vpn > Ipsec Vpn > Concentrator
Chapter 20 IPSec VPN 20.5.1 VPN Concentrator Summary You use the VPN Concentrator summary screen to look at the VPN concentrators you have set up. The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL. To access this screen, click VPN > IPSec VPN > Concentrator. The following screen appears.
Page 316: Figure 207 Network > Ipsec Vpn > Concentrator > Edit > Member
Chapter 20 IPSec VPN Each field is described in the following table. Table 98 VPN > IPSec VPN > Concentrator > Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 317: Figure 208 Vpn > Ipsec Vpn > Sa Monitor
Chapter 20 IPSec VPN Figure 208 VPN > IPSec VPN > SA Monitor Each field is described in the following table. Table 99 VPN > IPSec VPN > SA Monitor LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression.
Page 318: Regular Expressions In Searching Ipsec Sas By Name Or Policy
Chapter 20 IPSec VPN 20.6.1 Regular Expressions in Searching IPSec SAs by Name or Policy A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multiple VPN connection or policy names match the pattern.
Page 319: Ssl Vpn
H A P T E R SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. See the SSL VPN section in the Configuration Overview chapter for related information on these screens. 21.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Page 320: Ssl Access Policy Limitations
Chapter 21 SSL VPN Table 100 Objects (continued) OBJECT OBJECT TYPE DESCRIPTION SCREEN Server Address Configure address objects for the IP addresses of the DNS and Addresses WINS servers that the ZyWALL sends to the VPN connection users. VPN Network Address Configure an address object to specify which network segment users are allowed to access through a VPN connection.
Page 321: Figure 210 Vpn > Ssl Vpn > Access Privilege > Add/Edit
Chapter 21 SSL VPN 21.3 Creating/Editing an SSL Access Policy To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 210 VPN > SSL VPN > Access Privilege > Add/Edit The following table describes the labels in this screen.
Page 322: Ssl Connection Monitor
Chapter 21 SSL VPN Table 102 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION User/Group The Available list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet. To associate a user or user group to this SSL access policy, select a user account or user group and click >>...
Page 323: Figure 211 Vpn > Ssl Vpn > Connection Monitor
Chapter 21 SSL VPN • view a list of users currently logged in through VPN SSL. • log out a user and delete related session information. Once a user logs out, the corresponding entry is removed from the Connection Monitor screen.
Page 324: Figure 212 Vpn > Ssl Vpn > Global Setting
Upload Click Upload to transfer the specified graphic file from your computer to the ZyWALL. Reset Logo to Click Reset Logo to Default to display the ZyXEL company logo on the remote Default user’s web browser. Apply Click Apply to save the changes and/or start the logo file upload process.
Page 325: Uploading A Custom Logo
Chapter 21 SSL VPN 21.5.1 Uploading a Custom Logo Follow the steps below to upload a custom logo on the ZyWALL. 1 Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen. 2 Click Browse to locate the logo graphic. Make sure the file is in GIF format. 3 Click Apply to start the file transfer process.
Page 326: Figure 214 Ssl Vpn Client Portal Screen Example
Chapter 21 SSL VPN Figure 214 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
Page 327: Ssl User Screens
H A P T E R SSL User Screens This chapter introduces secure network access and gives an overview of the remote user screens on the ZyWALL. 22.1 Overview The ZyWALL provides secure connections to network resources such as applications, files, intranet sites or e-mail through a web-based interface and using Microsoft Outlook Web Access (OWA).
Page 328: Figure 216 Enter The Address In A Web Browser
Chapter 22 SSL User Screens • Windows 2000 and Windows XP • Internet Explorer 5.5 and above (for IE7, JRE 1.6 must be enabled) • Netscape 7.2 and above • Firefox 1.0 and above • Mozilla 1.7.3 and above • Sun Java Virtual Machine (JVM) installed with a minimum version of 1.4. •...
Page 329: Figure 217 Login Security Screen
Chapter 22 SSL User Screens Figure 217 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Select Log into SSL VPN and click Login to log in and establish an SSL VPN connection to the network to access network resources.
Page 330: Figure 220 Remote User Screen
Chapter 22 SSL User Screens Available resource links vary depending on the configuration your network administrator made. 22.3 SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 220 Remote User Screen The following table describes the various parts of a remote user screen. Table 105 Remote User Screen Overview DESCRIPTION Click on a menu tab to go to the Application or File Sharing screen.
Page 331: Figure 221 Add Favorite
Chapter 22 SSL User Screens 22.4 Bookmark You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon.
Page 332 Chapter 22 SSL User Screens ZyWALL 1050 User’s Guide...
Page 333: Ssl User Application Screens
H A P T E R SSL User Application Screens This chapter describes the Application screens you use to access an application on the network through the SSL VPN connection. 23.1 Overview Depending on the configuration of your network administrator, you can use the Application screen to access web-based applications (such as web sites and e-mail).
Page 334 Chapter 23 SSL User Application Screens ZyWALL 1050 User’s Guide...
Page 335: Ssl User File Sharing Screens
H A P T E R SSL User File Sharing Screens This chapter describes the File Sharing screen you use to access files on a file server through the SSL VPN connection. 24.1 Overview Use the File Sharing screen to display and access shared files/folders on a file server. You can also perform the following actions: •...
Page 336: Opening A File Or Folder
Chapter 24 SSL User File Sharing Screens Figure 225 File Sharing 24.3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 1 Log in as a remote user and click the File Sharing tab.
Page 337: Downloading A File
Chapter 24 SSL User File Sharing Screens 4 A list of files/folders displays. Click on a file to open it in a separate browser window. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 227 File Sharing: Open a Word File 24.3.1 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Page 338: Creating A New Folder
Chapter 24 SSL User File Sharing Screens Figure 228 File Sharing: Save a Word File 24.4 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Make sure the length of the folder name does not exceed the maximum allowed on the file server.
Page 339: Deleting A File Or Folder
Chapter 24 SSL User File Sharing Screens Figure 230 File Sharing: Rename A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Make sure the length of the name does not exceed the maximum allowed on the file server.
Page 340: Uploading A File
Chapter 24 SSL User File Sharing Screens 24.7 Uploading a File Follow the steps below to upload a file to the file server. 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of the file you want to upload. Or click Browse to locate it.
Page 341: L2Tp Vpn
H A P T E R L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. See the L2TP VPN section in the Configuration Overview chapter for related information on these screens. 25.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Page 342: Using The Default L2Tp Vpn Connection
Chapter 25 L2TP VPN • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 25.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 343: Figure 236 Vpn > L2Tp Vpn
Chapter 25 L2TP VPN 25.4 L2TP VPN Configuration Click VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.
Page 344: Figure 237 Vpn > L2Tp Vpn > Session Monitor
Chapter 25 L2TP VPN Table 106 VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Allowed User The remote user must log into the ZyWALL to use the L2TP VPN tunnel. Select a user or user group that can use the L2TP VPN tunnel. Select Create Object to configure a new user account (see Section 34.2.1 on page 502 details).
Page 345 Chapter 25 L2TP VPN Table 107 VPN > L2TP VPN > Session Monitor (continued) LABEL DESCRIPTION Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it. Refresh Click Refresh to update the information in the display. ZyWALL 1050 User’s Guide...
Page 346 Chapter 25 L2TP VPN ZyWALL 1050 User’s Guide...
Page 347: L2Tp Vpn Example
H A P T E R L2TP VPN Example This chapter shows how to create a basic L2TP VPN tunnel. 26.1 L2TP VPN Example This chapter uses the following settings in creating a basic L2TP VPN tunnel. Figure 238 L2TP VPN Example 172.23.37.205 L2TP_POOL: 192.168.10.10~192.168.10.20...
Page 348: Figure 239 Vpn > Ipsec Vpn > Vpn Gateway > Edit
Chapter 26 L2TP VPN Example Figure 239 VPN > IPSec VPN > VPN Gateway > Edit • Configure the My Address setting. This example uses interface ge3 with static IP address 172.23.37.205. • Configure the Pre-Shared Key. This example uses top-secret. Click OK. 2 Click the Default_L2TP_VPN_GW entry’s Enable icon and click Apply to turn on the entry.
Page 349: Figure 241 Vpn > Ipsec Vpn > Vpn Connection > Edit
Chapter 26 L2TP VPN Example 26.3 Configuring the Default L2TP VPN Connection Example 1 Click VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Click the Default_L2TP_VPN_Connection’s Edit icon. Figure 241 VPN > IPSec VPN > VPN Connection > Edit 2 Enforce and configure the local and remote policies.
Page 350: Figure 242 Vpn > Ipsec Vpn > Vpn Connection (Enable)
Chapter 26 L2TP VPN Example Figure 242 VPN > IPSec VPN > VPN Connection (Enable) 26.4 Configuring the L2TP VPN Settings Example 1 Click VPN > L2TP VPN to open the following screen. Figure 243 VPN > L2TP VPN Example 2 Configure the following.
Page 351: Figure 244 Routing > Add: L2Tp Vpn Example
Chapter 26 L2TP VPN Example Figure 244 Routing > Add: L2TP VPN Example 2 Configure the following. • Enable the policy route. • Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN_SUBNET in this example). •...
Page 352: Configuring L2Tp In Windows Xp
Chapter 26 L2TP VPN Example 26.6.1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection. 1 Click Start > Control Panel > Network Connections > New Connection Wizard. 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click Next.
Page 353: Figure 247 New Connection Wizard: Connection Name
Chapter 26 L2TP VPN Example Figure 247 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and click Next. Figure 248 New Connection Wizard: Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN (172.23.37.205 in this example).
Page 354: Figure 249 New Connection Wizard: Vpn Server Selection
Chapter 26 L2TP VPN Example Figure 249 New Connection Wizard: VPN Server Selection 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. Figure 250 Connect L2TP to ZyWALL 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL 1050 User’s Guide...
Page 355: Figure 251 Connect L2Tp To Zywall: Security
Chapter 26 L2TP VPN Example Figure 251 Connect L2TP to ZyWALL: Security 11 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other check boxes. Click OK. Figure 252 Connect ZyWALL L2TP: Security >...
Page 356: Figure 253 L2Tp To Zywall Properties > Security
Chapter 26 L2TP VPN Example Figure 253 L2TP to ZyWALL Properties > Security 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK.
Page 357: Configuring L2Tp In Windows 2000
Chapter 26 L2TP VPN Example Figure 256 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 257 ZyWALL-L2TP System Tray Icon 18 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 358: Figure 259 Starting The Registry Editor
Chapter 26 L2TP VPN Example 1 Click Start > Run. Type regedit and click OK. Figure 259 Starting the Registry Editor 2 Click Registry > Export Registry File and save a backup copy of your registry. You can go back to using this backup if you misconfigure the registry settings. 3 Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parame ters.
Page 359: Figure 262 Prohibitipsec Dword Value
Chapter 26 L2TP VPN Example Figure 262 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section. 26.6.2.2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer, use these directions to configure an IPSec policy for the computer to use.
Page 360: Figure 265 Add > Ip Security Policy Management > Finish
Chapter 26 L2TP VPN Example Figure 265 Add > IP Security Policy Management > Finish 4 Right-click IP Security Policies on Local Machine and click Create IP Security Policy. Click Next in the welcome screen. Figure 266 Create IP Security Policy 5 Name the IP security policy L2TP to ZyWALL, and click Next.
Page 361: Figure 267 Ip Security Policy: Name
Chapter 26 L2TP VPN Example Figure 267 IP Security Policy: Name 6 Clear the Activate the default response rule check box and click Next. Figure 268 IP Security Policy: Request for Secure Communication 7 Leave the Edit Properties check box selected and click Finish. Figure 269 IP Security Policy: Completing the IP Security Policy Wizard ZyWALL 1050 User’s Guide...
Page 362: Figure 270 Ip Security Policy Properties > Add
Chapter 26 L2TP VPN Example 8 In the properties dialog box, click Add > Next. Figure 270 IP Security Policy Properties > Add 9 Select This rule does not specify a tunnel and click Next. Figure 271 IP Security Policy Properties: Tunnel Endpoint 10 Select All network connections and click Next.
Page 363: Figure 272 Ip Security Policy Properties: Network Type
Chapter 26 L2TP VPN Example Figure 272 IP Security Policy Properties: Network Type 11 Select Use this string to protect the key exchange (preshared key), type password in the text box, and click Next. Figure 273 IP Security Policy Properties: Authentication Method 12 Click Add.
Page 364: Figure 274 Ip Security Policy Properties: Ip Filter List
Chapter 26 L2TP VPN Example Figure 274 IP Security Policy Properties: IP Filter List 13 Type ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add. Figure 275 IP Security Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab.
Page 365: Figure 276 Filter Properties: Addressing
Chapter 26 L2TP VPN Example Figure 276 Filter Properties: Addressing 15 Configure the following in the Filter Properties window’s Protocol tab. Set the protocol type to UDP from port 1701. Select To any port. Click Apply, OK, and then Close. Figure 277 Filter Properties: Protocol 16 Select ZyWALL WAN_IP and click Next.
Page 366: Figure 278 Ip Security Policy Properties: Ip Filter List
Chapter 26 L2TP VPN Example Figure 278 IP Security Policy Properties: IP Filter List 17 Select Require Security and click Next. Then click Finish and Close. Figure 279 IP Security Policy Properties: IP Filter List 18 In the Console window, right-click L2TP to ZyWALL and select Assign. Figure 280 Console: L2TP to ZyWALL Assign ZyWALL 1050 User’s Guide...
Page 367: Figure 281 Start New Connection Wizard
Chapter 26 L2TP VPN Example 26.6.2.3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy, use these directions to create a network connection. 1 Click Start > Settings > Network and Dial-up connections > Make New Connection. In the wizard welcome screen, click Next.
Page 368: Figure 283 New Connection Wizard: Destination Address
Chapter 26 L2TP VPN Example Figure 283 New Connection Wizard: Destination Address 4 Select For all users and click Next. Figure 284 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish. Figure 285 New Connection Wizard: Naming the Connection ZyWALL 1050 User’s Guide...
Page 369: Figure 286 Connect L2Tp To Zywall
Chapter 26 L2TP VPN Example 6 Click Properties. Figure 286 Connect L2TP to ZyWALL 7 Click Security and select Advanced (custom settings) and click Settings. Figure 287 Connect L2TP to ZyWALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button.
Page 370: Figure 288 Connect L2Tp To Zywall: Security > Advanced
Chapter 26 L2TP VPN Example Figure 288 Connect L2TP to ZyWALL: Security > Advanced 9 Click Networking and select Layer 2 Tunneling Protocol (L2TP) from the drop-down list box. Click OK. Figure 289 Connect L2TP to ZyWALL: Networking 10 Enter your user name and password and click Connect. It may take up to one minute to establish the connection and register on the network.
Page 371: Figure 290 Connect L2Tp To Zywall
Chapter 26 L2TP VPN Example Figure 290 Connect L2TP to ZyWALL 11 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. Figure 291 ZyWALL-L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20).
Page 372 Chapter 26 L2TP VPN Example ZyWALL 1050 User’s Guide...
Page 373: Application Patrol & Anti-X
Application Patrol & Anti-X Application Patrol (375) Anti-Virus (399) IDP (413) ADP (441) Content Filter Screens (459) Content Filter Reports (479)
Page 375: Application Patrol
H A P T E R Application Patrol This chapter describes how to use application patrol for the ZyWALL. It provides an overview first and then introduces the screens. See the Application Patrol section in the Configuration Overview chapter for related information on these screens. 27.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network.
Page 376: Configurable Application Policies
Chapter 27 Application Patrol The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application. The second approach is called service ports. In this approach, the ZyWALL only uses OSI level-3 information, such as IP address and port, to identify what application is using the connection.
Page 377: Outbound And Inbound Bandwidth Limits
Chapter 27 Application Patrol 27.4.1 Connection and Packet Directions Application patrol looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel.
Page 378: Bandwidth Management Priority
Chapter 27 Application Patrol Figure 294 LAN to WAN, Outbound 200 kbps, Inbound 500 kbps Outbound: 200 kbps Inbound: 500 kbps Outbound: 200 kbps 27.4.3 Bandwidth Management Priority The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate.
Page 379: Figure 295 Bandwidth Management Behavior
Chapter 27 Application Patrol Figure 295 Bandwidth Management Behavior 1000 kbps 1000 kbps 1000 kbps 27.4.5.1 Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 108 Configured Rate Effect POLICY CONFIGURED RATE MAX.
Page 380: Application Patrol Bandwidth Management Examples
Chapter 27 Application Patrol 27.4.5.4 Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error.
Page 381: Setting The Interface's Bandwidth
Chapter 27 Application Patrol Figure 296 Application Patrol Bandwidth Management Example SIP: WAN to Any SIP: Any to WAN Outbound: 200 Kbps Outbound: 200 Kbps Inbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Priority: 1 Max. B. U. Max. B. U. HTTP: Any to WAN Outbound: 100 Kbps Inbound: 500 Kbps...
Page 382: Sip Wan To Any Bandwidth Management Example
Chapter 27 Application Patrol Figure 297 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 200 kbps 27.5.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN).
Page 383: Figure 299 Ftp Wan To Dmz Bandwidth Management Example
Chapter 27 Application Patrol • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 299 FTP WAN to DMZ Bandwidth Management Example Outbound: 300 kbps Inbound: 100 kbps 27.5.6 FTP LAN to DMZ Bandwidth Management Example •...
Page 384: Other Applications
Chapter 27 Application Patrol 27.6 Other Applications Sometimes, the ZyWALL cannot identify the application. For example, the application might be a new application, or the packets might arrive out of sequence. (The ZyWALL does not reorder packets when identifying the application.) In these cases, you can still provide a default rule for the ZyWALL to follow.
Page 385: Figure 301 Apppatrol > General
Chapter 27 Application Patrol Figure 301 AppPatrol > General The following table describes the labels in this screen. See Section 27.9.1 on page 386 more information as well. Table 112 AppPatrol > General LABEL DESCRIPTION Enable Select this check box to turn on application patrol. Application Patrol Enable BWM...
Page 386: Figure 302 Apppatrol > Common
Chapter 27 Application Patrol 27.9 Application Patrol Applications Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications. Use the Common screen (shown here as an example) to manage traffic of the most commonly used web, file transfer and e-mail protocols.
Page 387: Figure 303 Application Edit
Chapter 27 Application Patrol Figure 303 Application Edit The following table describes the labels in this screen. Table 114 Application Edit LABEL DESCRIPTION Service Enable Select this check box to turn on patrol for this application. Service Service Identification Name This field displays the name of the application.
Page 388 Chapter 27 Application Patrol Table 114 Application Edit (continued) LABEL DESCRIPTION User This is the user name or user group to which the policy applies. If any displays, the policy applies to all users. From This is the source zone of the traffic to which this policy applies. This is the destination zone of the traffic to which this policy applies.
Page 389: Application Patrol Policy Edit
Chapter 27 Application Patrol 27.9.2 Application Patrol Policy Edit The Application Policy Edit screen allows you to edit a group of settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen and click an application’s Edit icon. Then click the Add icon or an Edit icon in the Policy table.
Page 390 Chapter 27 Application Patrol Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Access This field controls what the ZyWALL does with packets for this application that match this policy. Choices are: forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision.
Page 391: Figure 305 Apppatrol > Other
Chapter 27 Application Patrol Table 115 Application Policy Edit (continued) LABEL DESCRIPTION Maximize Enable maximize bandwidth usage to let the traffic matching this policy “borrow” Bandwidth any unused bandwidth on the out-going interface. Usage After each application gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.
Page 392: Other Configuration Add/Edit
Chapter 27 Application Patrol Table 116 AppPatrol > Other (continued) LABEL DESCRIPTION Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination.
Page 393: Figure 306 Apppatrol > Other > Edit
Chapter 27 Application Patrol Figure 306 AppPatrol > Other > Edit The following table describes the labels in this screen. Table 117 AppPatrol > Other > Edit LABEL DESCRIPTION Enable Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy.
Page 394: Application Patrol Statistics
Chapter 27 Application Patrol Table 117 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Bandwidth Configure these fields to set the amount of bandwidth the application can use. Management These fields only apply when Access is set to forward. Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use.
Page 395: Figure 307 Apppatrol > Statistics: General Setup
Chapter 27 Application Patrol Figure 307 AppPatrol > Statistics: General Setup The following table describes the labels in this screen. Table 118 AppPatrol > Statistics: General Setup LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update. Display Select the protocols for which to display statistics.
Page 396: Figure 309 Apppatrol > Statistics: Protocol Statistics
Chapter 27 Application Patrol 27.11.3 Application Patrol Statistics: Protocol Statistics The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols. Figure 309 AppPatrol > Statistics: Protocol Statistics The following table describes the labels in this screen. Table 119 AppPatrol >...
Page 397 Chapter 27 Application Patrol Table 119 AppPatrol > Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Outbound This is the outgoing bandwidth usage for traffic that matched this protocol rule, in Kbps kilobits per second. This is the protocol’s traffic that the ZyWALL sends out from the initiator of the connection.
Page 398 Chapter 27 Application Patrol ZyWALL 1050 User’s Guide...
Page 399: Anti-Virus
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. See the Anti- Virus section in the Configuration Overview chapter for related information on these screens. 28.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs.
Page 400: Types Of Anti-Virus Scanner
Chapter 28 Anti-Virus 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 28.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based. A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network.
Page 401: Figure 310 Zywall Anti-Virus Example
Chapter 28 Anti-Virus Figure 310 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
Page 402: Figure 311 Anti-X > Anti-Virus > Summary
Chapter 28 Anti-Virus • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen. •...
Page 403: Table 121 Anti-X > Anti-Virus > Summary
Chapter 28 Anti-Virus The following table describes the labels in this screen. Table 121 Anti-X > Anti-Virus > Summary LABEL DESCRIPTION Enable Anti-Virus Select this check box to check traffic for viruses and spyware. The following table and Anti-Spyware lists rules that define which traffic the ZyWALL scans and the action it takes upon finding a virus.
Page 404: Figure 312 Anti-X > Anti-Virus > Summary > Edit
Chapter 28 Anti-Virus Table 121 Anti-X > Anti-Virus > Summary (continued) LABEL DESCRIPTION Released Date This field displays the date and time the set was released. Update Click this link to go to the screen you can use to download signatures from the Signatures update server.
Page 405 Chapter 28 Anti-Virus Table 122 Anti-X > Anti-Virus > Summary > Edit (continued) LABEL DESCRIPTION Protocols to Scan Select which protocols of traffic to scan for viruses. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen.
Page 406: Figure 313 Anti-X > Anti-Virus > Setting
Chapter 28 Anti-Virus Table 122 Anti-X > Anti-Virus > Summary > Edit (continued) LABEL DESCRIPTION Destroy Note: When you select this option, the ZyWALL deletes ZIP files compressed that use password encryption. files that could not be decompressed Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip.
Page 407: Table 123 Anti-X > Anti-Virus > Setting
Chapter 28 Anti-Virus The following table describes the labels in this screen. Table 123 Anti-X > Anti-Virus > Setting LABEL DESCRIPTION Scan EICAR Select this option to have the ZyWALL check for the EICAR test file and treat it in the same way as a real virus file.
Page 408: Figure 314 Anti-X > Anti-Virus > Setting > White List Add
Chapter 28 Anti-Virus Table 123 Anti-X > Anti-Virus > Setting (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to start configuring this screen again. 28.5 Anti-Virus White List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a white list Add icon or Edit icon to display the following screen.
Page 409: Figure 315 Anti-X > Anti-Virus > Setting > Black List Add
Chapter 28 Anti-Virus 28.6 Anti-Virus Black List Add/Edit From the Anti-X > Anti-Virus > Setting screen, click a black list Add icon or Edit icon to display the following screen. Use this screen to create an anti-virus black list entry for a file pattern that should cause the ZyWALL to log and delete a file.
Page 410: Figure 316 Anti-X > Anti-Virus > Signature: Search By Severity
Chapter 28 Anti-Virus Figure 316 Anti-X > Anti-Virus > Signature: Search by Severity The following table describes the labels in this screen. Table 126 Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Select the criteria on which to perform the search. Search Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find.
Page 411 Chapter 28 Anti-Virus Table 126 Anti-X > Anti-Virus > Signature (continued) LABEL DESCRIPTION Severity This is the severity level of the anti-virus signature. Click the severity column header to sort your search results by ascending or descending severity. Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category.
Page 412 Chapter 28 Anti-Virus ZyWALL 1050 User’s Guide...
Page 413: Idp
H A P T E R This chapter introduces IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic direction, custom signatures and updating signatures. See the IDP section in the Configuration Overview chapter for related information on these screens. 29.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously.
Page 414: Signatures
Chapter 29 IDP 29.1.4 Signatures If a packet matches a signature, the action specified by the signature is taken. You can change the default signature actions in the profile screens. 29.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces.
Page 415: Figure 317 Anti-X > Idp > General
Chapter 29 IDP Figure 317 Anti-X > IDP > General The following table describes the screens in this screen. Table 127 Anti-X > IDP > General LABEL DESCRIPTION General Setup Enable Signature You must register for IDP service in order to use packet inspection signatures. Detection If you don’t have a standard license, you can register for a once-off trial one.
Page 416: Configuring Idp Bindings
Chapter 29 IDP Table 127 Anti-X > IDP > General (continued) LABEL DESCRIPTION (Icons) Click the Add icon in the heading row to add a new first entry. The Active icon displays whether the entry is enabled or not. Click it to activate or deactivate the entry.
Page 417: Figure 318 Anti-X > Idp > General > Add
Chapter 29 IDP Figure 318 Anti-X > IDP > General > Add The following table describes the screens in this screen. Table 128 Anti-X > IDP > General > Add LABEL DESCRIPTION Enable Select this check box to turn on this IDP profile to traffic direction binding. From Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Page 418: Profile Summary Screen
Chapter 29 IDP Figure 319 Base Profiles The following table describes this screen. Table 129 Base Profiles BASE PROFILE DESCRIPTION All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 419: Figure 320 Anti-X > Idp > Profile
Chapter 29 IDP Figure 320 Anti-X > IDP > Profile The following table describes the fields in this screen. Table 130 Anti-X > IDP > Profile LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created.
Page 420: Profiles: Packet Inspection
Chapter 29 IDP If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. 3 Type a new profile name 4 Enable or disable individual signatures. 5 Edit the default log options and actions.
Page 421: Figure 321 Anti-X > Idp > Profile > Edit : Group View
Chapter 29 IDP Figure 321 Anti-X > IDP > Profile > Edit : Group View ZyWALL 1050 User’s Guide...
Page 422: Table 131 Anti-X > Idp > Profile > Group View
Chapter 29 IDP The following table describes the fields in this screen. Table 131 Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 423: Table 132 Policy Types
Chapter 29 IDP Table 131 Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action Select what action the ZyWALL should take when a packet matches a signature here. original setting: Select this action to return each signature in a service group to its previously saved configuration.
Page 424: Table 133 Idp Service Groups
Chapter 29 IDP Table 132 Policy Types (continued) POLICY TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet. A distributed denial-of-service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
Page 425: Figure 322 Anti-X > Idp > Profile > Edit > Idp Service Group
Chapter 29 IDP Table 133 IDP Service Groups (continued) MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server- side HTML embedded scripting language that allows web developers to build dynamic websites.
Page 426: Figure 323 Anti-X > Idp > Profile: Query View
Chapter 29 IDP Figure 323 Anti-X > IDP > Profile: Query View The following table describes the fields in this screen. Table 134 Anti-X > IDP > Profile: Query View LABEL DESCRIPTION Name This is the name of the profile that you created in the IDP > Profiles > Packet Inspection group view screen.
Page 427: Query Example
Chapter 29 IDP Table 134 Anti-X > IDP > Profile: Query View (continued) LABEL DESCRIPTION Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were.
Page 428: Introducing Idp Custom Signatures
Chapter 29 IDP Figure 325 Query Example Search Results 29.9 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures.
Page 429: Figure 326 Ip V4 Packet Headers
Chapter 29 IDP Figure 326 IP v4 Packet Headers The header fields are discussed below: Table 135 IP v4 Packet Headers HEADER DESCRIPTION Version The value 4 indicates IP version 4. IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Page 430: Figure 327 Anti-X > Idp > Custom Signatures
Chapter 29 IDP Table 135 IP v4 Packet Headers (continued) HEADER DESCRIPTION Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY...
Page 431: Table 136 Anti-X > Idp > Custom Signatures
Chapter 29 IDP The following table describes the fields in this screen. Table 136 Anti-X > IDP > Custom Signatures LABEL DESCRIPTION Creating Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures. SID is the signature ID that uniquely identifies a signature.
Page 432: Figure 328 Anti-X > Idp > Custom Signatures > Add/Edit
Chapter 29 IDP Figure 328 Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL 1050 User’s Guide...
Page 433: Table 137 Anti-X > Idp > Custom Signatures > Add/Edit
Chapter 29 IDP The following table describes the fields in this screen. Table 137 Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 434 Chapter 29 IDP Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be...
Page 435: Custom Signature Example
Chapter 29 IDP Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Page 436: Figure 329 Custom Signature Example Pattern 1
Chapter 29 IDP 29.10.2.2 Analyze Packets Then use a packet sniffer such as TCPdump or Ethereal to investigate some more. From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first pattern.
Page 437: Figure 332 Example Custom Signature
Chapter 29 IDP Figure 332 Example Custom Signature ZyWALL 1050 User’s Guide...
Page 438: Applying Custom Signatures
Chapter 29 IDP 29.10.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999. You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile.
Page 439: Figure 334 Custom Signature Log
Chapter 29 IDP Figure 334 Custom Signature Log 29.10.5 Snort Signatures You may want to refer to open source Snort signatures when creating custom ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example: alert tcp any any ->...
Page 440 Chapter 29 IDP Table 138 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Flow flow Flags flags Sequence Number Ack Number Window Size window Transport Protocol: UDP (In Snort rule header) Port (In Snort rule header) Transport Protocol: ICMP Type itype Code...
Page 441: Adp
H A P T E R This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and binding an ADP profile to a traffic direction. See the ADP section in the Configuration Overview chapter for related information on these screens. 30.1 Introduction to ADP An ADP system can detect malicious or suspicious packets and respond instantaneously.
Page 442: Figure 335 Anti-X > Adp > General
Chapter 30 ADP 30.1.3 ADP on the ZyWALL ADP on the ZyWALL protects against network-based intrusions. See Section 30.8 on page Section 30.9 on page 452 for more on the kinds of attacks that the ZyWALL can protect against. You can also create your own custom ADP rules. 30.2 Traffic Directions and Profiles A zone is a combination of ZyWALL interfaces and VPN connections for security.
Page 443: Table 139 Anti-X > Adp > General
Chapter 30 ADP The following table describes the screens in this screen. Table 139 Anti-X > ADP > General LABEL DESCRIPTION General Setup Enable Anomaly Select this check box to enable traffic anomaly and protocol anomaly Detection detection. Bindings Use this list to specify which anomaly profile the ZyWALL uses for traffic flowing in a specific direction.
Page 444: Figure 336 Anti-X > Adp > General > Add
Chapter 30 ADP Figure 336 Anti-X > ADP > General > Add The following table describes the screens in this screen. Table 140 Anti-X > ADP > General > Add LABEL DESCRIPTION Enable Select this check box to turn on this anomaly profile to traffic direction binding. From Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Page 445: Figure 337 Base Profiles
Chapter 30 ADP Figure 337 Base Profiles These are the default base profiles at the time of writing. Table 141 Base Profiles BASE PROFILE DESCRIPTION All traffic anomaly and protocol anomaly rules are enabled. Rules with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Page 446: Procedure To Create A New Profile
Chapter 30 ADP Table 142 Anti-X > ADP > Profile (continued) LABEL DESCRIPTION Base Profile This is the base profile from which the profile was created. (Icons) Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile.
Page 447: Port Scanning
Chapter 30 ADP 30.8.1 Port Scanning An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap. Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types: •...
Page 448: Flood Detection
Chapter 30 ADP 30.8.1.4 Filtered Port Scans A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time.
Page 449: Figure 340 Tcp Three-Way Handshake
Chapter 30 ADP 30.8.2.3 TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 340 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets.
Page 450 Chapter 30 ADP 30.8.2.5 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Page 451: Figure 342 Profiles: Traffic Anomaly
Chapter 30 ADP 30.8.3 Profile > Traffic Anomaly Screen Figure 342 Profiles: Traffic Anomaly ZyWALL 1050 User’s Guide...
Page 452: Table 143 Adp > Profile > Traffic Anomaly
Chapter 30 ADP The following table describes the fields in this screen. Table 143 ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 453: Table 144 Http Inspection And Tcp/Udp/Icmp Decoders
Chapter 30 ADP Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected. Protocol anomaly rules may be updated when you upload new firmware. 30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Page 454 Chapter 30 ADP Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION NON-RFC-HTTP- This is when a newline “\n” character is detected as a delimiter. DELIMITER ATTACK This is non-standard but is accepted by both Apache and IIS web servers.
Page 455: Protocol Anomaly Configuration
Chapter 30 ADP Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash.
Page 456: Figure 343 Profiles: Protocol Anomaly
Chapter 30 ADP Figure 343 Profiles: Protocol Anomaly ZyWALL 1050 User’s Guide...
Page 457: Table 145 Adp > Profile > Protocol Anomaly
Chapter 30 ADP The following table describes the fields in this screen. Table 145 ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 458 Chapter 30 ADP ZyWALL 1050 User’s Guide...
Page 459: Content Filter Screens
H A P T E R Content Filter Screens This chapter covers how to use the content filter feature to control web access. See the Content Filter section in the Configuration Overview chapter for related information on these screens. 31.1 Content Filter Overview Content filter allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Page 460: Content Filter Configuration Guidelines
Chapter 31 Content Filter Screens 31.1.3 Content Filter Configuration Guidelines You must configure an address object, a schedule object and a filtering profile before you can set up a content filter policy. When the ZyWALL receives an HTTP request, the content filter searches for a policy that matches the source address and time (schedule).
Page 461 Chapter 31 Content Filter Screens Table 146 Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Block web access when Select this check box to stop users from accessing the Internet by default no policy is applied when their attempted access does not match a content filter policy. This column lists the index numbers of the content filter policies.
Page 462: Figure 345 Anti-X > Content Filter > General > Add L
Chapter 31 Content Filter Screens Table 146 Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Registration Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service.
Page 463: Figure 346 Anti-X > Content Filter > Filtering Profile
Chapter 31 Content Filter Screens The following table describes the labels in this screen. Table 147 Anti-X > Content Filter > General > Add LABEL DESCRIPTION Schedule Select a schedule to define when to apply this content filter policy. You can define different policies for different time periods.
Page 464: External Web Filtering Service
Chapter 31 Content Filter Screens Table 148 Anti-X > Content Filter > Filtering Profile (continued) LABEL DESCRIPTION Click the Add icon at the top of the column to create a new content filter profile at the end of the list. Click a content filter policy’s Add icon at the to create a new content filter policy below the current line.
Page 465: Content Filter Categories Screen
2 Click Content Filter in the Service Name field to open the Blue Coat login screen. 3 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 353 on page 480).
Page 466: Figure 348 Anti-X > Content Filter > Filtering Profile > Add
Chapter 31 Content Filter Screens Figure 348 Anti-X > Content Filter > Filtering Profile > Add The following table describes the labels in this screen. Table 149 Anti-X > Content Filter > Filtering Profile > Add LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 467 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Enable External Web Enable external database content filtering to have the ZyWALL check an Filtering Service external database to find to which category a requested web page belongs.
Page 468 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Intimate Apparel/Swimsuit Selecting this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing.
Page 469 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment Selecting this category excludes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Page 470 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Political/Activist Groups Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities.
Page 471 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Open Image/Media Search Selecting this category excludes pages with image or video search capabilities which return graphical results (i.e. thumbnail pictures) that include potentially pornographic content along with non-pornographic content (as defined in the Pornography category).
Page 472 Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Sexuality/Alternative Selecting this category excludes pages that provide information, promote, Lifestyles or cater to gays, lesbians, swingers, other sexual orientations or practices, or a particular fetish.
Page 473: Content Filter Customization Screen
Chapter 31 Content Filter Screens Table 149 Anti-X > Content Filter > Filtering Profile > Add (continued) LABEL DESCRIPTION Test Against Local Cache Click this button to see the category recorded in the ZyWALL’s content filtering database for the web page you specified (if the database has an entry for it).
Page 474: Figure 349 Anti-X > Content Filter > Filtering Profiles > Customization
Chapter 31 Content Filter Screens Figure 349 Anti-X > Content Filter > Filtering Profiles > Customization The following table describes the labels in this screen. Table 150 Anti-X > Content Filter > Filtering Profiles > Customization LABEL DESCRIPTION Filtering Profile Name Enter a descriptive name for this content filtering profile name.
Page 475 Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Page 476: Keyword Blocking Url Checking
For example, with the URL www.zyxel.com.tw/ news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”. 31.9 Content Filter Cache Screen Click Anti-X >...
Page 477: Figure 350 Anti-X > Content Filter > Cache
Chapter 31 Content Filter Screens Figure 350 Anti-X > Content Filter > Cache The following table describes the labels in this screen. Table 151 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually. Refresh Click this button to reload the list of content filter cache entries.
Page 478 Chapter 31 Content Filter Screens Table 151 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Remove Click the delete icon to remove the URL entry from the cache. URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it.
Page 479: Content Filter Reports
2 Fill in your myZyXEL.com account information and click Submit. Figure 351 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL 1050 User’s Guide...
Page 480: Figure 352 Myzyxel.com: Welcome
Blue Coat login screen. Figure 353 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 353 on page 480).
Page 481: Figure 354 Blue Coat: Login
Chapter 32 Content Filter Reports 6 Click Submit. Figure 354 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. Figure 355 Blue Coat Content Filter Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports.
Page 482: Figure 356 Blue Coat: Report Home
Chapter 32 Content Filter Reports Figure 356 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 483: Figure 357 Global Report Screen Example
Chapter 32 Content Filter Reports Figure 357 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 1050 User’s Guide...
Page 484: Web Site Submission
Chapter 32 Content Filter Reports Figure 358 Requested URLs Example 32.2 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 485: Figure 359 Web Page Review Process Screen
Chapter 32 Content Filter Reports Figure 359 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 1050 User’s Guide...
Page 486 Chapter 32 Content Filter Reports ZyWALL 1050 User’s Guide...
Page 487: Device Ha & Objects
Device HA & Objects Device HA (489) User/Group (499) Addresses (511) Services (515) Schedules (521) AAA Server (525) Authentication Objects (535) Certificates (539) ISP Accounts (557) SSL Application (561)
Page 489: Device Ha
H A P T E R Device HA Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. See the Device HA section in the Configuration Overview chapter for related information on these screens. 33.1 Virtual Router Redundancy Protocol (VRRP) Overview Every computer on a network may send packets to a default gateway, which can become a single point of failure.
Page 490: Figure 361 Example: Vrrp, Master Becomes Unavailable
Chapter 33 Device HA Every router in a virtual router must use the same advertisement interval. If Router A becomes unavailable, it stops sending messages to Router B. Router B detects this and assumes the role of the master router. This is illustrated below. Figure 361 Example: VRRP, Master Becomes Unavailable Router B is now using the IP address of the default gateway, and it is forwarding packets for the network.
Page 491: Additional Vrrp Notes
Chapter 33 Device HA 33.1.1 Additional VRRP Notes • It is possible to set up two virtual routers so that they back up each other. • VRRP uses IP protocol 112. 33.2 VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router.
Page 492: Link Monitoring And Remote Management
Chapter 33 Device HA 33.2.1 Link Monitoring and Remote Management With link monitoring enabled, a backup ZyWALL that takes over for an unavailable master ZyWALL takes over all of the master ZyWALL’s static IP addresses. This way the backup ZyWALL takes over all of the master ZyWALL’s functions. However, this also means you can no longer access the original master ZyWALL through one of its static IP addresses (because the backup ZyWALL now uses this address).
Page 493: Figure 363 Device Ha > Vrrp Group
Chapter 33 Device HA Figure 363 Device HA > VRRP Group The following table describes the labels in this screen. See Section 33.5 on page 494 for more information as well. Table 152 Device HA > VRRP Group LABEL DESCRIPTION Refresh Click this button to update the information in this screen.
Page 494: Figure 364 Device Ha > Vrrp Group > Edit
Chapter 33 Device HA Table 152 Device HA > VRRP Group (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 33.5 VRRP Group Add/Edit The VRRP Group Add/Edit screen allows you to add VRRP groups to the ZyWALL or to edit the configuration of an existing VRRP group.
Page 495 Chapter 33 Device HA Table 153 Device HA > VRRP Group > Edit (continued) LABEL DESCRIPTION VRID Type the virtual router ID number. Description Type the description of the VRRP group. This field is only for your reference. It may be up to sixty printable ASCII characters long.
Page 496: Synchronization Overview
Chapter 33 Device HA 33.6 Synchronization Overview In a virtual router, backup routers do not automatically get configuration updates from the master router. In this case, the master ZyWALL can send these updates to backup ZyWALLs. This is called synchronization. During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Page 497: Figure 365 Network > Device Ha > Synchronize
Chapter 33 Device HA You must subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL. 33.6.2 Synchronize Screen Use this screen if you want the ZyWALL to get or to send updated IDP signatures, and configuration information in the virtual router.
Page 498 Chapter 33 Device HA Table 154 Network > Device HA > Synchronize (continued) LABEL DESCRIPTION Sync. Now Click this button to get updated certificates, AV signatures, IDP and application patrol signatures, system protect signatures, and configuration information from the specified ZyWALL router. Note: If the new configuration is different from the existing one on this backup ZyWALL, this backup ZyWALL applies the entire configuration.
Page 499: User/Group
H A P T E R User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 500: Ext-User Accounts
Chapter 34 User/Group 34.1.2 Ext-User Accounts Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an Ext-User account.
Page 501: User Groups
Chapter 34 User/Group Figure 367 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 34.1.2.2 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
Page 502: User Summary
Chapter 34 User/Group This works with HTTP traffic only. The ZyWALL does not force users to log in before it routes other kinds of traffic. The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again. 34.2 User Summary The User screen provides a summary of all user accounts.
Page 503: Figure 369 User/Group > User > Edit
Chapter 34 User/Group Figure 369 User/Group > User > Edit The following table describes the labels in this screen. Table 158 User/Group > User > Edit LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 504: Figure 370 User/Group > Group
• uucp • zyxel 34.3 Group Summary User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups.
Page 505: Figure 371 User/Group > Group > Add
Chapter 34 User/Group Table 160 User/Group > Group (continued) LABEL DESCRIPTION Member This field lists the members in the user group. Each member is separated by a comma. Add icon This column provides icons to add, edit, and remove user groups. To add a user group, click the Add icon at the top of the column.
Page 506: Figure 372 User/Group > Setting
Chapter 34 User/Group 34.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the web configurator, and click User/Group >...
Page 507 Chapter 34 User/Group Table 162 User/Group > Setting (continued) LABEL DESCRIPTION User Logon Setting Limit ... for Select this check box if you want to set a limit on the number of simultaneous logins administratio by admin users. If you do not select this, admin users can login as many times as n account they want at the same time using the same or different IP addresses.
Page 508: Figure 373 User/Group > Setting > Force User Authentication Policy > Add/Edit
Chapter 34 User/Group Table 162 User/Group > Setting (continued) LABEL DESCRIPTION Source This field displays the source address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all source addresses. Destination This field displays the destination address object of traffic to which this condition applies.
Page 509: Figure 374 Web Configurator For Non-Admin Users
Chapter 34 User/Group Table 163 User/Group > Setting > Force User Authentication Policy > Add/Edit (continued) LABEL DESCRIPTION Authentication Select whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied. Source Address Select a source IP address object or select Create Object to configure a new one.
Page 510: Table 164 Web Configurator For Non-Admin Users
Chapter 34 User/Group The following table describes the labels in this screen. Table 164 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined Access users can specify a lease time shorter than or equal to the one that you lease time (max specified.
Page 511: Addresses
H A P T E R Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. See the Objects section in the Configuration Overview chapter for related information on these screens. 35.1 Addresses Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Page 512: Figure 375 Object > Address > Address
Chapter 35 Addresses Figure 375 Object > Address > Address The following table describes the labels in this screen. See Section 35.2.2 on page 512 more information as well. Table 165 Object > Address > Address LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific address. Name This field displays the name of each address.
Page 513: Figure 377 Object > Address > Address Group
Chapter 35 Addresses The following table describes the labels in this screen. Table 166 Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 514: Figure 378 Object > Address > Address Group > Add
Chapter 35 Addresses Table 167 Object > Address > Address Group (continued) LABEL DESCRIPTION Description This field displays the description of each address group, if any. Add icon This column provides icons to add, edit, and remove address groups. To add an address group, click the Add icon at the top of the column. The Address Group Add/Edit screen appears.
Page 515: Services
H A P T E R Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. See the Objects section in the Configuration Overview chapter for related information on these screens.
Page 516: Figure 379 Object > Service > Service
Chapter 36 Services • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules, and IDP profiles. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service.
Page 517: Figure 380 Object > Service > Service > Edit
Chapter 36 Services Table 169 Object > Service > Service (continued) LABEL DESCRIPTION Content This field displays a description of each service. Add icon This column provides icons to add, edit, and remove services. To add a service, click the Add icon at the top of the column. The Service Add/ Edit screen appears.
Page 518: Figure 381 Object > Service > Service Group
Chapter 36 Services 36.3 Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log in to the web configurator, and click Object > Service > Service Group.
Page 519: Figure 382 Object > Service > Service Group > Edit
Chapter 36 Services Figure 382 Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 172 Object > Service > Service Group > Edit LABEL DESCRIPTION Name Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 520 Chapter 36 Services ZyWALL 1050 User’s Guide...
Page 521: Schedules
H A P T E R Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. See the Objects section in the Configuration Overview chapter for related information on these screens. 37.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring.
Page 522: Figure 383 Object > Schedule
Chapter 37 Schedules Figure 383 Object > Schedule The following table describes the labels in this screen. See Section 37.2.2 on page 522 Section 37.2.3 on page 523 for more information as well. Table 173 Object > Schedule LABEL DESCRIPTION One Time This field is a sequential value, and it is not associated with a specific schedule.
Page 523: Figure 384 Object > Schedule > Edit (One Time)
Chapter 37 Schedules Figure 384 Object > Schedule > Edit (One Time) The following table describes the labels in this screen. Table 174 Object > Schedule > Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 524: Figure 385 Object > Schedule > Edit (Recurring)
Chapter 37 Schedules Figure 385 Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. Table 175 Object > Schedule > Edit (Recurring) LABEL DESCRIPTION Configuration...
Page 525: Aaa Server
H A P T E R AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 38.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
Page 526: User Authentication Method
Chapter 38 AAA Server 5 Configure the ASAS as a RADIUS server in the ZyWALL’s Object > AAA Server screens. 6 Give the OTP tokens to (local or remote) users. 38.1.2 User Authentication Method You can select to authenticate users using the local user database and/or a specified authentication server.
Page 527: Distinguished Name (Dn)
Chapter 38 AAA Server Figure 387 Basic Directory Structure Sales Sprint Root Sales Japan Organizations (o) Organization Units (ou) Unique Countries (c) Common Name (cn) 38.2.2 Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Page 528: Figure 388 Object > Aaa Server > Active Directory (Or Ldap) > Default
ZyWALL to bind (or log in) to the AD or LDAP server. Base DN Specify the directory (up to 63 alphanumerical characters). For example, o=ZyXEL, c=US CN Identifier Specify the unique common name that uniquely identifies a record in the AD or LDAP directory.
Page 529: Figure 389 Object > Aaa Server > Active Directory (Or Ldap) > Group
Chapter 38 AAA Server 1 Click Object > AAA Server > Active Directory (or LDAP) > Group to display the screen. Figure 389 Object > AAA Server > Active Directory (or LDAP) > Group The following table describes the labels in this screen. Table 177 Object >...
Page 530: Table 178 Object > Aaa Server > Active Directory (Or Ldap) > Group > Add
If required, enter the password (up to 15 alphanumerical characters) the ZyWALL uses to log into the AD or LDAP server(s). Base DN Specify the top level directory in the directory. For example, o=ZyXEL, c=US binddn Specify the bind DN for logging into the AD or LDAP server(s). For example, cn=zywallAdmin...
Page 531: Figure 391 Radius Server Network Example
Chapter 38 AAA Server Figure 391 RADIUS Server Network Example 38.5 Configuring a Default RADIUS Server To configure the default external RADIUS server to use for user authentication, click Object > AAA Server > RADIUS to display the screen as shown. Figure 392 Object >...
Page 532: Figure 393 Object > Aaa Server > Radius > Group
Chapter 38 AAA Server 38.6 Configuring a Group of RADIUS Servers You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network. 1 Click Object >...
Page 533: Table 181 Object > Aaa Server > Radius > Group > Add
Chapter 38 AAA Server The following table describes the labels in this screen. Table 181 Object > AAA Server > RADIUS > Group > Add LABEL DESCRIPTION Configuration All RADIUS servers in a group share the same settings in the fields below. Name Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes.
Page 534 Chapter 38 AAA Server ZyWALL 1050 User’s Guide...
Page 535: Authentication Objects
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 39.1 Authentication Objects Overview After you have created the AAA server objects in the AAA Server screens, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 536: Figure 396 Object > Auth. Method > Add
Chapter 39 Authentication Objects 39.3 Creating an Authentication Object Follow the steps below to create an authentication object. 1 Click Object > Auth. Method. 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 537: Table 183 Object > Auth. Method > Add
Chapter 39 Authentication Objects The following table describes the labels in this screen. Table 183 Object > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Page 538: Figure 397 Example: Using Authentication Method In Vpn
Chapter 39 Authentication Objects Figure 397 Example: Using Authentication Method in VPN ZyWALL 1050 User’s Guide...
Page 539: Certificates
H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use the Certificates screens. See the Objects section in the Configuration Overview chapter for related information on these screens. 40.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users.
Page 540: Advantages Of Certificates
Chapter 40 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 541: Certificate Configuration Screens Summary
Chapter 40 Certificates Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 40.4 Certificate Configuration Screens Summary This section summarizes how to manage certificates on the ZyWALL. Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyWALL’s CA-signed certificates.
Page 542: My Certificates Screen
Chapter 40 Certificates Figure 399 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 543: Table 184 Object > Certificate > My Certificates
Chapter 40 Certificates The following table describes the labels in this screen. Table 184 Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 544: Figure 401 Object > Certificate > My Certificates > Add
Chapter 40 Certificates Figure 401 Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 185 Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 545 Chapter 40 Certificates Table 185 Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 546: My Certificate Edit Screen
Chapter 40 Certificates Table 185 Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request When you select Create a certification request and enroll for a certificate Authentication immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request.
Page 547: Figure 402 Object > Certificate > My Certificates > Edit
Chapter 40 Certificates Figure 402 Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Page 548 Chapter 40 Certificates Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
Page 549: Figure 403 Object > Certificate > My Certificates > Import
Chapter 40 Certificates Table 186 Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Export This button displays for a certification request. Use this button to save a copy of the request without its private key. Click this button and then Save in the File Download screen.
Page 550: Figure 404 Object > Certificate > Trusted Certificates
Chapter 40 Certificates The following table describes the labels in this screen. Table 187 Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
Page 551: Trusted Certificates Edit Screen
Chapter 40 Certificates Table 188 Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Page 552: Figure 405 Object > Certificate > Trusted Certificates > Edit
Chapter 40 Certificates Figure 405 Object > Certificate > Trusted Certificates > Edit The following table describes the labels in this screen. Table 189 Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name.
Page 553 Chapter 40 Certificates Table 189 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Enable X.509v3 Select this check box to have the ZyWALL check incoming certificates that are CRL Distribution signed by this certificate against a Certificate Revocation List (CRL) or an OCSP Points and OCSP server.
Page 554: Trusted Certificates Import Screen
Chapter 40 Certificates Table 189 Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Page 555: Figure 406 Object > Certificate > Trusted Certificates > Import
Chapter 40 Certificates Figure 406 Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 190 Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL.
Page 556 Chapter 40 Certificates ZyWALL 1050 User’s Guide...
Page 557: Isp Accounts
H A P T E R ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. See the Objects section in the Configuration Overview chapter for related information on these screens. 41.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP.
Page 558: Figure 408 Object > Isp Account > Edit
Chapter 41 ISP Accounts Table 191 Object > ISP Account (continued) LABEL DESCRIPTION User Name This field displays the user name of the ISP account. Add icon This column provides icons to add, edit, and remove ISP accounts. To add information about a new ISP account, click the Add icon at the top of the column.
Page 559 Chapter 41 ISP Accounts Table 192 Object > ISP Account > Edit (continued) LABEL DESCRIPTION Encryption This field is available if this ISP account uses the PPTP protocol. Use the drop- Method down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are: nomppe - This ISP account does not use MPPE.
Page 560 Chapter 41 ISP Accounts ZyWALL 1050 User’s Guide...
Page 561: Ssl Application
H A P T E R SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 42.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 562: Figure 410 Object > Ssl Application > Add/Edit: Web Application
Chapter 42 SSL Application The following table describes the labels in this screen. Table 193 Object > SSL Application LABEL DESCRIPTION This field displays the index number. Name This field displays the name of the object. Address This field displays the IP address/URL of the application server or the location of a file share.
Page 563: Table 194 Object > Ssl Application > Add/Edit: Web Application
Chapter 42 SSL Application The following table describes the labels in this screen. Table 194 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Object Type Select Web Application from the drop-down list box. Application Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0- 9”, “a-z”, “A-Z”, “-”...
Page 564: Configuring File Sharing
Chapter 42 SSL Application 7 Click Apply to save the settings. The configuration screen should look similar to the following figure. Figure 411 Example: SSL Application: Specifying a Web Site for Access 42.3.3 Configuring File Sharing You can specify the name of a folder on a file server (Linux or Windows) which remote users can access.
Page 565 Chapter 42 SSL Application Table 195 Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Shared Path Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.
Page 566 Chapter 42 SSL Application ZyWALL 1050 User’s Guide...
Page 567: System
System System (569) System Remote Management (581)
Page 569: System
H A P T E R System This chapter provides information on the system screens. 43.1 System Overview The system screens can help you configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program. The screens also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL zones (if any) from which computers.
Page 570: Figure 414 System > Date And Time
Chapter 43 System 43.3 Time and Date This section shows you how: 1 To manually set the ZyWALL date and time. 2 To get the ZyWALL date and time from a time server. For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date.
Page 571 Chapter 43 System Table 197 System > Date and Time (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Page 572: Pre-Defined Ntp Time Servers List
Chapter 43 System Table 197 System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November.
Page 573: Figure 415 Synchronization In Process
Chapter 43 System Figure 415 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen. Try reconfiguring the Date/Time screen.
Page 574: Figure 416 System > Console Port Speed
Chapter 43 System Figure 416 System > Console Port Speed The following table describes the labels in this screen. Table 199 System > Console Port Speed LABEL DESCRIPTION Configuration Console Port Use the drop-down list box to change the speed of the console port. Your Speed ZyWALL supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port.
Page 575: Figure 417 System > Dns
An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 576 Chapter 43 System Table 200 System > DNS (continued) LABEL DESCRIPTION From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually. DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Page 577: Figure 418 System > Dns > Address/Ptr Record Edit
An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com”...
Page 578: Figure 419 System > Dns > Domain Zone Forwarder Edit
DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 579: Figure 420 System > Dns > Mx Record Edit
Chapter 43 System 43.5.9 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa.
Page 580: Table 204 System > Dns > Service Control Rule Edit
Chapter 43 System The following table describes the labels in this screen. Table 204 System > DNS > Service Control Rule Edit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL.
Page 581: System Remote Management
H A P T E R System Remote Management This chapter shows you how to determine what services may access what zones on the ZyWALL. 44.1 Remote Management Overview The WWW, SSH, Telnet, FTP, SNMP, Dial-in Mgmt, and Vantage CNM screens allow you to determine which services/protocols can access which ZyWALL zones (if any) from which computers.
Page 582: Remote Management Limitations
Chapter 44 System Remote Management To disable remote management of a service, deselect Enable in the corresponding service screen. 44.1.1 Remote Management Limitations Remote management will not work when: 1 You have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Service Control table does not match the client IP address (the ZyWALL disconnects the session immediately).
Page 583: Configuring Www
Chapter 44 System Remote Management 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s web server. 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server.
Page 584: Figure 424 System > Www
Chapter 44 System Remote Management Figure 424 System > WWW The following table describes the labels in this screen. Table 205 System > WWW LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL web configurator using secure HTTPs connections.
Page 585 Chapter 44 System Remote Management Table 205 System > WWW (continued) LABEL DESCRIPTION This the index number of the service control rule. Zone This is the zone on the ZyWALL the user is allowed or denied to access. Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.
Page 586: Figure 425 System > Service Control Rule Edit
Chapter 44 System Remote Management 44.4 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 425 System > Service Control Rule Edit The following table describes the labels in this screen.
Page 587: Netscape Navigator Warning Messages
Chapter 44 System Remote Management Figure 426 Security Alert Dialog Box (Internet Explorer) 44.5.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 588: Avoiding Browser Warning Messages
Chapter 44 System Remote Management Figure 428 Security Certificate 2 (Netscape) 44.5.3 Avoiding Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. •...
Page 589: Enrolling And Importing Ssl Client Certificates
Chapter 44 System Remote Management 44.5.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 590: Figure 431 Ca Certificate Example
Chapter 44 System Remote Management Figure 431 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 44.5.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 591: Figure 433 Personal Certificate Import Wizard 2
Chapter 44 System Remote Management 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 433 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 592: Figure 435 Personal Certificate Import Wizard 4
Chapter 44 System Remote Management Figure 435 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 436 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Page 593: Using A Certificate When Accessing The Zywall Example
Chapter 44 System Remote Management 44.5.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 438 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Page 594: How Ssh Works
Chapter 44 System Remote Management 44.6 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 595: Figure 443 System > Ssh
Chapter 44 System Remote Management The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys.
Page 596: Table 207 System > Ssh
Chapter 44 System Remote Management The following table describes the labels in this screen. Table 207 System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Page 597: Example 2: Linux
Chapter 44 System Remote Management Figure 444 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The CLI screen displays next. 44.7.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
Page 598: Figure 447 System > Telnet
Chapter 44 System Remote Management 3 The CLI screen displays next. 44.8 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 44.8.1 Configuring Telnet Click System >...
Page 599: Figure 448 System > Ftp
Chapter 44 System Remote Management Table 208 System > Telnet (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 44.9 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
Page 600: Snmp
Chapter 44 System Remote Management Table 209 System > FTP (continued) LABEL DESCRIPTION Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Add icon Click the Add icon in the heading row to open a screen where you can add a new rule.
Page 601: Supported Mibs
44.10.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 602: Figure 450 System > Snmp
Chapter 44 System Remote Management Figure 450 System > SNMP The following table describes the labels in this screen. Table 211 System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Page 603: Dial-In Management
Chapter 44 System Remote Management Table 211 System > SNMP (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 44.11 Dial-in Management Connect an external serial modem to the DIAL BACKUP port to provide a remote management connection in case the ZyWALL’s other WAN connections are down.
Page 604: Figure 451 System > Dial-In Mgmt
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 605: Figure 452 System > Vantage Cnm
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). Transfer Protocol Select whether the Vantage CNM sessions should use regular HTTP connections or secure HTTPS connections.
Page 606: Figure 453 System > Language
Chapter 44 System Remote Management Table 213 System > Vantage CNM (continued) LABEL DESCRIPTION HTTPS Authentication When you are using HTTPs, select this option to have the ZyWALL authenticate the Vantage CNM server’s certificate. In order to do this you need to import the Vantage CNM server’s public key (certificate) into the ZyWALL’s trusted certificates.
Page 607: Maintenance & Troubleshooting
Maintenance & Troubleshooting File Manager (609) Logs (619) Reports (631) Diagnostics (641) Reboot (643) Troubleshooting (645)
Page 609: File Manager
H A P T E R File Manager This chapter covers how to use the ZyWALL’s File Manager screens to handle the ZyWALL’s configuration, firmware and shell script files. 45.1 Configuration Files and Shell Scripts Overview The File Manager screens allow you to store multiple configuration files and shell script files. When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include.
Page 610: Comments In Configuration Files Or Shell Scripts
Chapter 45 File Manager While configuration files and shell scripts have the same syntax, the ZyWALL applies configuration files differently than it runs shell scripts. This is explained below. Table 215 Configuration Files and Shell Scripts in the ZyWALL Configuration Files (.conf) Shell Scripts (.zysh) •...
Page 611: Errors In Configuration Files Or Shell Scripts
Chapter 45 File Manager Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp 45.1.2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script, the ZyWALL processes the file line- by-line.
Page 612: Figure 455 Maintenance > File Manager > Configuration File
Chapter 45 File Manager You can change the way the startup-config.conf file is applied. Include the setenv- command. The ZyWALL ignores any errors in the startup- startup stop-on-error off config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors.
Page 613: Figure 456 Maintenance > File Manager > Configuration File > Copy
Chapter 45 File Manager The following table describes the labels in this screen. Table 216 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Download Click a configuration file’s row to select it and click Download to save the configuration to your computer.
Page 614: Firmware Package Screen
See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
Page 615: Figure 458 Maintenance > File Manager > Firmware Package
Chapter 45 File Manager The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti- virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it. You can upload the firmware package to the ZyWALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package.
Page 616: Shell Script Screen
Chapter 45 File Manager Figure 459 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 460 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the HOME screen.
Page 617: Figure 462 Maintenance > File Manager > Shell Script
Chapter 45 File Manager Figure 462 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 218 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Download Click a shell script file’s row to select it and click Download to save the configuration to your computer.
Page 618: Figure 464 Maintenance > File Manager > Shell Script > Rename
Chapter 45 File Manager Table 218 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL. You cannot rename a shell script to the name of another shell script in the ZyWALL. Click a shell script’s row to select it and click Rename to open the Rename File screen.
Page 619: Logs
H A P T E R Logs This chapter provides general information about the ZyWALL’s log feature. See Appendix B on page 655 for individual log descriptions. The following table displays the maximum number of system log messages in the ZyWALL. Table 219 Specifications: Logs LABEL DESCRIPTION...
Page 620: Figure 465 Maintenance > Log > View Log
Chapter 46 Logs Figure 465 Maintenance > Log > View Log If an event generates log messages and alerts, it is displayed in red. Otherwise, it is displayed in black. The following table describes the labels in this screen. Table 220 Maintenance > Log > View Log LABEL DESCRIPTION Show Filter /...
Page 621: Log Settings Screens
Chapter 46 Logs Table 220 Maintenance > Log > View Log (continued) LABEL DESCRIPTION Keyword Type a keyword to look for in the Message, Source, Destination and Note fields. If a match is found in any field, the log message is displayed. You can use up to 63 alphanumeric characters and the underscore, as well as punctuation marks ()’...
Page 622: Figure 466 Maintenance > Log > Log Setting
This field displays the name of the log (system log or one of the remote servers). Log Format This field displays the format of the log. Formats are Internal and ZyXEL VRPT. Internal - system log; you can view the log on the View Log tab.
Page 623: Log Settings Edit E-Mail
Chapter 46 Logs Table 221 Maintenance > Log > Log Setting (continued) LABEL DESCRIPTION Modify This column provides icons to activate or deactivate logs and to modify the settings. To activate or deactivate a log, click the Active icon. Make sure you click Apply to save and apply the change.
Page 624: Figure 467 Maintenance > Log > Log Setting > E-Mail > Edit
Chapter 46 Logs Figure 467 Maintenance > Log > Log Setting > E-mail > Edit ZyWALL 1050 User’s Guide...
Page 625: Table 222 Maintenance > Log > Log Setting > E-Mail > Edit
Chapter 46 Logs The following table describes the labels in this screen. Table 222 Maintenance > Log > Log Setting > E-mail > Edit LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section.
Page 626: Log Settings Edit Syslog
Chapter 46 Logs Table 222 Maintenance > Log > Log Setting > E-mail > Edit (continued) LABEL DESCRIPTION Consolidation Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Page 627: Figure 468 Maintenance > Log > Log Setting > Remote Server > Edit
Chapter 46 Logs Figure 468 Maintenance > Log > Log Setting > Remote Server > Edit ZyWALL 1050 User’s Guide...
Page 628: Table 223 Maintenance > Log > Log Setting > Remote Server > Edit
This field displays the format of the log information. It is read-only. Internal - system log; you can view the log on the View Log tab. ZyXEL VRPT - syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to send log Address information.
Page 629: Figure 469 Active Log Summary
Chapter 46 Logs Figure 469 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 46.3.1 on page 623, where this process is discussed.
Page 630 Chapter 46 Logs Table 224 Maintenance > Log > Log Setting > Active Log Summary (continued) LABEL DESCRIPTION Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - log regular information and alerts from this category enable all logs (yellow checkmark) - log regular information, alerts, and debugging...
Page 631: Reports
H A P T E R Reports This chapter provides information about the report screens. 47.1 Traffic Screen Click Maintenance > Report > Traffic to display the Traffic screen. The Traffic screen provides basic information about the following metrics: • Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the ZyWALL counts HTTP GET packets.
Page 632: Figure 470 Maintenance > Report > Traffic
Chapter 47 Reports Figure 470 Maintenance > Report > Traffic There is a limit on the number of records shown in the report. Please see Table 226 on page for more information. The following table describes the labels in this screen. Table 225 Maintenance >...
Page 633 Chapter 47 Reports Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one.
Page 634: Session Screen
Chapter 47 Reports Table 225 Maintenance > Report > Traffic (continued) LABEL DESCRIPTION Web Site This field displays the domain names most often visited. The ZyWALL counts each page viewed on a Web site as another hit. The maximum number of domain names in this report is indicated in Table 226 on page 634.
Page 635: Figure 471 Maintenance > Report > Session
Chapter 47 Reports Figure 471 Maintenance > Report > Session The following table describes the labels in this screen. Table 227 Maintenance > Report > Session LABEL DESCRIPTION View Select how you want the information to be displayed. Choices are: sessions by users - display all active sessions by user sessions by services - display all active sessions by service or protocol all sessions - filter the active sessions by the User, Service, Source Address,...
Page 636: Figure 472 Maintenance > Report > Anti-Virus: Virus Name
Chapter 47 Reports Table 227 Maintenance > Report > Session (continued) LABEL DESCRIPTION Protocol This field displays the protocol used in each active session. If you are looking at the sessions by services report, click the blue plus sign (+) next to each protocol to Service look at detailed session information by user.
Page 637: Figure 473 Maintenance > Report > Anti-Virus: Source
Chapter 47 Reports Table 228 Maintenance > Report > Anti-Virus (continued) LABEL DESCRIPTION Infected Files This field displays the number of files in which the ZyWALL has detected a virus. Detected Top Entry By Use this field to have the following (read-only) table display the top anti-virus entries by Virus Name, Source or Destination.
Page 638: Figure 475 Maintenance > Report > Idp: Signature Name
Chapter 47 Reports Figure 475 Maintenance > Report > IDP: Signature Name The following table describes the labels in this screen. Table 229 Maintenance > Report > IDP LABEL DESCRIPTION Collect Select this check box to have the ZyWALL collect IDP statistics. Statistics The collection starting time displays after you click Apply.
Page 639: Figure 476 Maintenance > Report > Idp: Source
Chapter 47 Reports Table 229 Maintenance > Report > IDP (continued) LABEL DESCRIPTION Type This column displays when you display the entries by Signature Name. It shows the categories of intrusions. See Table 132 on page 423 for more information. Severity This column displays when you display the entries by Signature Name.
Page 640 Chapter 47 Reports ZyWALL 1050 User’s Guide...
Page 641: Diagnostics
H A P T E R Diagnostics This chapter covers how to use the Diagnostics screen. 48.1 Diagnostics The Diagnostics screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 642 Chapter 48 Diagnostics ZyWALL 1050 User’s Guide...
Page 643: Reboot
H A P T E R Reboot Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.4 on page 53 for information on different ways to start and stop the ZyWALL. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot.
Page 644 Chapter 49 Reboot ZyWALL 1050 User’s Guide...
Page 645: Troubleshooting
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. It may help to display the settings for both routers side-by-side.
Page 646: Chapter 50 Troubleshooting
If you change the IP address of your LAN interface, make sure you also change the LAN_SUBNET address object. 50.1 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. 50.2 Resetting the ZyWALL If you forget the administrator password(s) or cannot access the ZyWALL by any method, you can reset the ZyWALL to its factory-default settings.
Page 647: Appendices And Index
VIII Appendices and Index Product Specifications (649) Common Services (695) Displaying Anti-Virus Alert Messages in Windows (699) Open Software Announcements (711) Legal Information (747) Customer Support (751) Index (757)
Page 649: Table 231 Default Login Information
P P E N D I X Product Specifications The following specifications are subject to change without notice. See Chapter 2 on page 55 for a general overview of key features. This table provides basic device specifications. Table 231 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address (ge1) 192.168.1.1...
Page 650: Table 233 Feature Specifications
Appendix A Product Specifications This table gives details about the ZyWALL’s features. Table 233 Feature Specifications VERSION # V1.00 V2.00 FEATURE # of MAC Flash Size DRAM Size INTERFACE VLAN Virtual (alias) 4 per interface 4 per interface Bridge ROUTING Static Routes Policy Routes 5,000...
Page 651 Appendix A Product Specifications Table 233 Feature Specifications (continued) VERSION # V1.00 V2.00 FEATURE Service Groups 1000 1000 Schedule Objects ISP Accounts Maximum Number of LDAP Groups Maximum Number of LDAP Servers for Each LDAP Group Maximum Number of RADIUS Groups Maximum Number of RADIUS Servers for Each RADIUS Group Maximum Number of Authentication Methods...
Page 652: Table 234 Standards Referenced By Features
Appendix A Product Specifications Table 233 Feature Specifications (continued) VERSION # V1.00 V2.00 FEATURE Maximum Number of Trusted Domain Entries 256 per profile 256 per profile Maximum Number of Keywords that Can Be 256 per profile 256 per profile Blocked Local Cache Size 8192 8192...
Page 653 Appendix A Product Specifications Table 234 Standards Referenced by Features (continued) FEATURE STANDARDS REFERENCED Built-in service, NTP client RFCs 958, 1059, 1119, 1305 Used by SSH service RFCs 4250, 4251, 4252, 4253, 4254 Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264...
Page 654 Appendix A Product Specifications ZyWALL 1050 User’s Guide...
Page 655: Table 235 Content Filter Logs
P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 235 Content Filter Logs LOG MESSAGE DESCRIPTION An administrator turned the content filter on. Content filter has been enabled An administrator turned the content filter off. Content filter has been disabled Table 236 Forward Web Site Logs...
Page 656 Appendix B Log Descriptions Table 237 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION Content filter rating service is temporarily unavailable and access to %s: Service is the web site was blocked due to: unavailable 1. Can't resolve rating server IP (No DNS) 2.
Page 657: Table 238 User Logs
Appendix B Log Descriptions Table 238 User Logs LOG MESSAGE DESCRIPTION The specified user signed in. %s %s has logged in from %s 1st %s: Administrator|Limited-Admin|User|Ext-User|Guest 2nd %s: username 3rd %s: service name (HTTP/HTTPS, FTP, telnet, SSH, console) NOTE field: %s means username. The specified user signed out.
Page 658: Table 239 Myzyxel.com Logs
Appendix B Log Descriptions Table 239 myZyXEL.com Logs LOG MESSAGE DESCRIPTION The device was not able to send a registration message to Send registration MyZyXEL.com. message to MyZyXEL.com server has failed. The device sent packets to the MyZyXEL.com server, but did not Get server response receive a response.
Page 659 Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The service expiration day check was successful. Service expiration check has succeeded. The device received an incomplete response from the myZyXEL.com Service expiration server and it caused a parsing error for the device. check has failed.
Page 660 Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The update server was busy so the device will wait for the specified Update server is busy number of seconds and send the download request to the update now.
Page 661 Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION The device received an incomplete response to the daily service Do expiration daily- expiration check and the packets caused a parsing error for the device. check has failed. Because of lack must fields.
Page 662: Table 240 Idp Logs
Appendix B Log Descriptions Table 239 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Verification of a server’s certificate failed while processing an HTTPS Certification connection. This log identifies the reason for the failure. verification failed: 1st %d: certificate chain level Depth: %d, Error Number(%d):%s.
Page 663 Appendix B Log Descriptions Table 240 IDP Logs (continued) LOG MESSAGE DESCRIPTION IDP service standard license is expired. IDP signature cannot update. IDP service standard license is expired. Update signature failed. IDP service standard license is not registered. IDP signature cannot IDP service standard update.
Page 664 Appendix B Log Descriptions Table 240 IDP Logs (continued) LOG MESSAGE DESCRIPTION IDP signature off-line update failed. Signature file maybe corrupt. IDP off-line update failed. File damaged. IDP signature update failed. Decrypt signature file failed. IDP signature update failed. File crashed. IDP signature update failed.
Page 665: Table 241 Application Patrol Logs
Appendix B Log Descriptions Table 240 IDP Logs (continued) LOG MESSAGE DESCRIPTION IDP signature update failed. Sigquery check signature content failed. IDP signature update failed. Invalid signature content. System internal error. Create IDP traffic anomaly entry failed. System internal error. Create IDP traffic anomaly entry failed.
Page 666 Appendix B Log Descriptions Table 241 Application Patrol Logs (continued) LOG MESSAGE DESCRIPTION Error when do ioctl L7_ACTION_IOCTL_ADDR_USAGE. System fatal error: 60018009. Error when do ioctl L7_ACTION_IOCTL_PROTO_ADDR_NUMS. System fatal error: 60018010. Fail to user lib user_profile to retrieve current login user. System fatal error: 60018011.
Page 667: Table 242 Ike Logs
Appendix B Log Descriptions Table 241 Application Patrol Logs (continued) LOG MESSAGE DESCRIPTION Packets logging. 1st %s: Protocol Name, 2nd %s: Category Name, 3rd App Patrol Name=%s %s: Default Rule or Exception Rule, 1st %d: Rule Index, 4th %s: TCP Type=%s %s=%d or UDP, 5th %s: Action.
Page 668 Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE DESCRIPTION %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] algorithm did not match. Phase 1 authentication algorithm mismatch %s is the tunnel name. When negotiating Phase-1, the authentication [SA] : Tunnel [%s] method did not match.
Page 669 Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE DESCRIPTION 1st %s is my ip address. 2nd %s is the tunnel name. When selecting a Cannot resolve My IP matched proposal in phase-1, the engine could not get My-IP address. Addr %s for Tunnel [%s] 1st %s is my ip address.
Page 670 Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE DESCRIPTION Indicates the initiator/responder cookie pair. The cookie pair is : 0x%08x%08x / 0x%08x%08x %s is the tunnel name. When dialing a tunnel, the tunnel is already The IPSec tunnel "%s" dialed.
Page 671: Table 243 Ipsec Logs
Appendix B Log Descriptions Table 242 IKE Logs (continued) LOG MESSAGE DESCRIPTION The variables represent the phase 1 name and tunnel name. The Tunnel [%s:%s] device sent an IKE request. Sending IKE request The variables represent the tunnel name and the SPI of a tunnel that Tunnel [%s:0x%x] is was disconnected.
Page 672: Table 244 Firewall Logs
Appendix B Log Descriptions Table 244 Firewall Logs LOG MESSAGE DESCRIPTION 1st variable is the global index of rule, 2nd is the from zone, priority:%lu, from %s to %s, service %s, %s 3rd is the to zone, 4th is the service name, 5th is ACCEPT/DROP/ REJECT.
Page 673 Appendix B Log Descriptions Table 246 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION User-aware policy routing is disabled due to some reason. Cannot get handle from UAM, user-aware PR is disabled Allocating policy routing rule fails: insufficient memory. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory.
Page 674: Table 247 Built-In Services Logs
Appendix B Log Descriptions Table 247 Built-in Services Logs LOG MESSAGE DESCRIPTION HTTP/HTTPS/TELNET/SSH/FTP/SNMP access to the device was User on %u.%u.%u.%u denied. has been denied access %u.%u.%u.%u is IP address from %s %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET An administrator assigned a nonexistent certificate to HTTPS. HTTPS certificate:%s does not exist.
Page 675 Appendix B Log Descriptions Table 247 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An administrator changed the console port baud rate. Console baud has been changed to %s. %s is baud rate assigned by user An administrator changed the console port baud rate back to the Console baud has been default (115200).
Page 676 Appendix B Log Descriptions Table 247 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION The default record DNS servers is more than 128. The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. Ping check ok, add DNS servers in bind. Interface %s ping check is successful.
Page 677: Table 248 System Logs
Appendix B Log Descriptions Table 247 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION An access control rule was moved successfully. Access control rule %d of %s was moved to %d. 1st %d is the previous index . %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. 2nd %d is current previous index.
Page 678 Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE DESCRIPTION The device received an ARP response from an unknown client. Receive an ARP response from an unknown client The device received the specified total number of ARP response In total, received %d packets for the requested IP address.
Page 679 Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE DESCRIPTION The owner of this FQDN is not the user, 1st %s is the profile name, 2nd Update the profile %s %s is the FQDN of the profile. has failed because the FQDN %s is not under your control.
Page 680 Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE DESCRIPTION The DDNS profile's IP select type is custom, and a custom IP was not Update the profile %s defined, %s is the profile name. has failed because Custom IP was empty. If the DDNS profile's IP select type is iface, it needs a WAN iface, %s is Update the profile %s the profile name.
Page 681: Table 249 Connectivity Check Logs
Appendix B Log Descriptions Table 248 System Logs (continued) LOG MESSAGE DESCRIPTION DDNS is enabled by Device-HA, because one of VRRP groups is DDNS has been enabled active. by Device-HA. Disable DDNS. Disable DDNS has succeeded. Enable DDNS. Enable DDNS has succeeded.
Page 682: Table 250 Device Ha Logs
Appendix B Log Descriptions Table 249 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivity check process can't get remote address of PPP Can't get remote interface address of %s %s: interface name interface The connectivity check process can't get netmask address of interface. Can't get NETMASK address of %s %s: interface name...
Page 683 Appendix B Log Descriptions Table 250 Device HA Logs (continued) LOG MESSAGE DESCRIPTION The System Startup configuration file synchronized from the Master is Master configuration the same with the one in the Backup, so the configuration does not is the same with have to be updated.
Page 684 Appendix B Log Descriptions Table 250 Device HA Logs (continued) LOG MESSAGE DESCRIPTION A VRRP group’s Authentication Type (Md5 or IPSec AH) configuration Device HA may not match between the Backup and the Master. %s: The name of authentication type the VRRP group.
Page 685: Table 251 Routing Protocol Logs
Appendix B Log Descriptions Table 251 Routing Protocol Logs LOG MESSAGE DESCRIPTION Device-HA is currently running on the interface %s, so all the local RIP on interface %s service have to be stopped including RIP. %s: Interface Name has been stopped because Device-HA binds this interface.
Page 686 Appendix B Log Descriptions Table 251 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted.
Page 687: Table 252 Nat Logs
Appendix B Log Descriptions Table 251 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Virtual-link %s authentication has been set to same-as-area but the Invalid OSPF virtual- area has invalid authentication configuration. %s: Virtual-Link ID link %s authentication of area %s. Invalid OSPF md5 authentication is set on interface %s.
Page 688: Table 253 Pki Logs
Appendix B Log Descriptions Table 252 NAT Logs (continued) LOG MESSAGE DESCRIPTION H323 ALG apply additional signal port failed. Register H.323 ALG extra port=%d failed. %d: Port number H323 ALG apply signal port failed. Register H.323 ALG signal port=%d failed. %d: Port number FTP ALG apply additional signal port failed.
Page 689 Appendix B Log Descriptions Table 253 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device imported a x509 format certificate into My Certificates. %s Import X509 is the certificate request name. certificate "%s" into My Certificate successfully The device imported a x509 format certificate into Trusted Certificates. Import X509 %s is the certificate request name.
Page 690 Appendix B Log Descriptions Table 253 PKI Logs (continued) LOG MESSAGE DESCRIPTION The device was not able to export a x509 format certificate from My Export X509 Certificates. %s is the certificate request name. certificate "%s" from "My Certificate" failed An administrator used the wrong password when trying to import a Import PKCS#12 PKCS#12 format certificate.
Page 691: Table 254 Interface Logs
Appendix B Log Descriptions CODE DESCRIPTION Path was not verified. Maximum path length reached. Table 254 Interface Logs LOG MESSAGE DESCRIPTION An administrator deleted an interface. %s is the interface name. Interface %s has been deleted. A user tried to dial the AUX interface, but the AUX interface is not AUX Interface dialing enabled.
Page 692 Appendix B Log Descriptions Table 254 Interface Logs (continued) LOG MESSAGE DESCRIPTION An administrator configured a PPP interface, PPP interface MTU > %s MTU > (%s MTU - 8), (base interface MTU - 8), PPP interface may not run correctly because %s may not work PPP packets will be fragmented by base interface ans peer will not correctly.
Page 693: Table 255 Account Logs
Appendix B Log Descriptions Table 254 Interface Logs (continued) LOG MESSAGE DESCRIPTION A PPP or AUX interface disconnected successfully. %s: interface Interface %s is name. disconnected. The interface’s connection will be terminated because the server did Interface %s connect not send any LCP packets. %s: interface name. failed: Peer not responding.
Page 694: Table 257 Force Authentication Logs
Appendix B Log Descriptions Table 257 Force Authentication Logs LOG MESSAGE DESCRIPTION Force user authentication will be turned on because HTTP server was Force User turned on. Authentication will be enabled due to http server is enabled. Force user authentication will be turned off because HTTP server was Force User turned off.
Page 695: Table 259 Commonly Used Services
7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER...
Page 696 Appendix C Common Services Table 259 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 1720 NetMeeting uses this protocol. HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web.
Page 697 Appendix C Common Services Table 259 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTSP TCP/UDP The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet.
Page 698 Appendix C Common Services ZyWALL 1050 User’s Guide...
Page 699: Figure 480 Windows Xp: Opening The Services Window
P P E N D I X Displaying Anti-Virus Alert Messages in Windows With the anti-virus packet scan, when a virus is detected, you can have the ZyWALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are being detected but your Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages.
Page 700: Figure 481 Windows Xp: Starting The Messenger Service
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 481 Windows XP: Starting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 482 Windows 2000: Opening the Services Window 2 Select the Messenger service and click Start Service.
Page 701: Figure 483 Windows 2000: Starting The Messenger Service
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 483 Windows 2000: Starting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages.
Page 702: Figure 486 Windows 98 Se: Task Bar Properties
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 486 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut. Figure 487 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next.
Page 703: Figure 488 Windows 98 Se: Startup: Create Shortcut
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 488 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish. Figure 489 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane.
Page 704: Figure 490 Windows 98 Se: Startup: Shortcut
Appendix D Displaying Anti-Virus Alert Messages in Windows Figure 490 Windows 98 SE: Startup: Shortcut The WinPopup window displays after the computer finishes the startup process (see Figure 484 on page 701). ZyWALL 1050 User’s Guide...
Page 705: Figure 491 Security Certificate
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Netscape Navigator and Internet Explorer 5. This appendix uses the ZyWALL 70 as an example. Other models should be similiar. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 706: Figure 492 Login Screen
Appendix E Importing Certificates Figure 492 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 493 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 1050 User’s Guide...
Page 707: Figure 494 Certificate Import Wizard 1
Appendix E Importing Certificates Figure 494 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 495 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 1050 User’s Guide...
Page 708: Figure 496 Certificate Import Wizard 3
Appendix E Importing Certificates Figure 496 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 497 Root Certificate Store ZyWALL 1050 User’s Guide...
Page 709: Figure 498 Certificate General Information After Import
Appendix E Importing Certificates Figure 498 Certificate General Information after Import ZyWALL 1050 User’s Guide...
Page 710 Appendix E Importing Certificates ZyWALL 1050 User’s Guide...
Page 711 No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ppp-2.4.2 software under the PPP License PPP License Copyright (c) 1993 The Australian National University.
Page 712 Appendix F Open Software Announcements This Product includes Netkit Telnet -0.17 software under the Netkit Telnet License Netkit Telnet License Copyright (c) 1989 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 713 Appendix F Open Software Announcements This Product includes expat-1.95.6 software under the Expat License Expat License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the...
Page 714 Appendix F Open Software Announcements This Product includes openssl-0.9.8d-ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts.
Page 715 Appendix F Open Software Announcements OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
Page 716 Appendix F Open Software Announcements This Product includes libevent-1.1a and xinetd-2.3.14 software under the a 3- clause BSD License a 3-clause BSD-style license This is a Free Software License • This license is compatible with The GNU General Public License, Version 1 •...
Page 717 Appendix F Open Software Announcements The ISC license for bind is: Copyright (c) 1993-1999 by Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
Page 718 Appendix F Open Software Announcements Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor"...
Page 719 Appendix F Open Software Announcements 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty- free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Page 720 Appendix F Open Software Announcements 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
Page 721 Appendix F Open Software Announcements Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 722 Appendix F Open Software Announcements This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.
Page 723 Appendix F Open Software Announcements For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries.
Page 724 Appendix F Open Software Announcements 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library.
Page 725 Appendix F Open Software Announcements However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 726 Appendix F Open Software Announcements It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7.
Page 727 Appendix F Open Software Announcements 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 728 Appendix F Open Software Announcements This Product includes bridge-utils, dhcpcd-1.3.22-pl4, rp-pppoe-3.5, vlan-1.8, keepalived-1.1.11-p1, quagga-0.99.2, ez-ipupdate-3.0.11b7, proftpd-1.2.10, libol-0.3.14, syslog-ng-1.6.5, pam-0.76, bison, tzcode2006c, iproute2, iptables-1.2.11/netfilter(kernel), dhcp-helper, busybox, Linux kernel, and pptp- linux-1.4.0 software under GPL license. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Page 729 Appendix F Open Software Announcements TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 730 Appendix F Open Software Announcements right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
Page 731 Appendix F Open Software Announcements 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Page 732 Appendix F Open Software Announcements FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
Page 733 Appendix F Open Software Announcements AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This Product includes libxml2-2.6.8 software under the MIT License The MIT License Copyright (c) <year>...
Page 734 Appendix F Open Software Announcements THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 735 Appendix F Open Software Announcements 2.1 GUBUSOFT hereby grants Customer the following non-exclusive, non-transferable right to use the SOFTWARE. 2.1.3 LIMITATIONS Customer may not rent, lease, or transfer the rights to the SOFTWARE to someone else. Customer may redistribute and use SOFTWARE in source code form provided (a) Customer Applications of SOFTWARE add primary and substantial functionality, and are not merely a set or subset of any of the functionality of the SOFTWARE, or a set or subset of any of the code or other files of the SOFTWARE;...
Page 736 Appendix F Open Software Announcements Defensive Suspension. If Customer commences or participates in any legal proceeding against GUBUSOFT, then GUBUSOFT may, in its sole discretion, suspend or terminate all license grants and any other rights provided under this LICENSE during the pendency of such legal proceedings.
Page 737 Appendix F Open Software Announcements This Product includes overLIB software under the overLIB License (Artistic) License (Artistic) Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.
Page 738 Appendix F Open Software Announcements make other distribution arrangements with the Copyright Holder. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version.
Page 739 Appendix F Open Software Announcements BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1.
Page 740 Appendix F Open Software Announcements ii.Mechanical Rights and Statutory Royalties. Licensor waives the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions).
Page 741 Appendix F Open Software Announcements 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER...
Page 742 You have the right to make one backup copy of the Software and Documentation solely for archival, back-up or disaster recovery purposes. You shall not exceed the scope of the license granted hereunder. Any rights not expressly granted by ZyXEL to you are reserved by ZyXEL, and all implied licenses are disclaimed.
Page 743 License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement.
Page 744 DAYS FROM THE DATE OF PURCHASE OF THE SOFTWARE, AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD. 7.Limitation of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR...
Page 745 This License Agreement is effective until it is terminated. You may terminate this License Agreement at any time by destroying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement.
Page 746 Appendix F Open Software Announcements ZyWALL 1050 User’s Guide...
Page 747: Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 748: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 749 (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
Page 750 Appendix G Legal Information ZyWALL 1050 User’s Guide...
Page 751: Customer Support
• Sales E-mail: sales@zyxel.co.cr • Telephone: +506-2017878 • Fax: +506-2015098 • Web: www.zyxel.co.cr • FTP: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 752 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-69 •...
Page 753 Appendix H Customer Support • Telephone: +91-11-30888144 to +91-11-30888153 • Fax: +91-11-30888149, +91-11-26810715 • Web: http://www.zyxel.in • Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, India Japan • Support E-mail: support@zyxel.co.jp •...
Page 754 • Support E-mail: support@zyxel.com.sg • Sales E-mail: sales@zyxel.com.sg • Telephone: +65-6899-6678 • Fax: +65-6899-8887 • Web: http://www.zyxel.com.sg • Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Singapore 609930 Spain • Support E-mail: support@zyxel.es • Sales E-mail: sales@zyxel.es •...
Page 755 • Support E-mail: support@zyxel.co.th • Sales E-mail: sales@zyxel.co.th • Telephone: +662-831-5315 • Fax: +662-831-5395 • Web: http://www.zyxel.co.th • Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand. Ukraine • Support E-mail: support@ua.zyxel.com • Sales E-mail: sales@ua.zyxel.com •...
Page 756 Appendix H Customer Support ZyWALL 1050 User’s Guide...
Page 757: Index
Index Index Numerics and WWW where used address objects 3DES and content filtering 459, 460, 463 and firewall and force user authentication policies and FTP and NAT and policy routes 226, 227, 509 and SNMP AAA servers and SSH and authentication methods and Telnet and users and virtual servers...
Page 758 Index and virtual servers port-less prerequisites H.323 261, 262 priority peer-to-peer calls priority effect protocol statistics See also VoIP pass through. registration status 261, 263 statistics SIP timeout unidentified applications vs firewall answer rings applications Anti-Virus trial service activation AppPatrol updating signatures updating signatures Anti-virus...
Page 759 Index and policy routes certification path 539, 547, 552 behavior expired configured rate effect factory-default examples file formats in application patrol fingerprints 548, 554 interface, outbound. See interfaces. importing interface’s bandwidth in the VPN wizard maximize bandwidth usage 223, 228, 378, 379, not used for encryption 380, 391, 394 revoked...
Page 760 Index daylight savings console port DDNS speed backup configuration overview content (pattern) high availability (HA) content filtering 459, 460 IP address update policies and address groups 459, 460, 463 mail exchanger and address objects 459, 460, 463 prerequisites and registration 462, 465 service providers and schedules...
Page 761 Index and interfaces feature specifications Domain Name System. See DNS. file decompression anti-virus double-encoding file extensions configuration files Dynamic Domain Name System. See DDNS. shell scripts Dynamic Host Configuration Protocol. See DHCP. file infector DynDNS file manager see also DDNS. configuration overview file sharing SSL application create...
Page 762 Index and address objects authenticating clients and schedules avoiding warning messages prerequisites example vs HTTP fragmentation flag with Internet Explorer fragmentation offset with Netscape Navigator hub-and-spoke VPN. See VPN concentrator. additional signaling port HyperText Transfer Protocol over Secure Socket and address groups Layer.
Page 763 VLAN. See also VLAN interfaces. ID type where used IP address, remote IPSec router Internet Control Message Protocol. See ICMP. IP address, ZyXEL device Internet Protocol Security. See IPSec. local identity main mode 303, 306 Internet Protocol. See IP.
Page 764 Index IP static routes. See static routes. IP stream identifier IP v4 packet headers Java IPSec basic troubleshooting connections Default_L2TP_VPN_Connection Default_L2TP_VPN_Connection example Default_L2TP_VPN_GW Default_L2TP_VPN_GW example kick out user established in two phases kill user session L2TP VPN local network remote IPSec router remote network SA monitor See also VPN.
Page 765 Index types of log options log options (IDP) 222, 252 logged in users login 1 example default settings address mapping. See policy routes. SSL user ALG. See ALG. and address objects logo and ALG logout and policy routes 221, 227 SSL user and VPN logs...
Page 766 Index and RIP packet statistics and static routes physical ports and to-ZyWALL firewall and interfaces area 0 ping check. See interfaces. areas. See OSPF areas. Point-to-Point Protocol over Ethernet. See PPPoE. authentication method Point-to-Point Tunneling Protocol. See PPTP autonomous system (AS) policy route backbone L2TP VPN...
Page 767 Index as VPN and to-ZyWALL firewall and users product registration profiles configuration overview FTP. See FTP. packet inspection limitations protocol prerequisites usage statistics Telnet protocol anomaly 444, 453 timeouts protocol anomaly detection to-ZyWALL firewall WWW. See WWW. proxy servers web. See web proxy servers. remote management connection Public-Key Infrastructure (PKI) remote user screen links...
Page 768 Index routing protocols way the ZyWALL runs and authentication algorithms shutdown and Ethernet interfaces signature categories access control See also ALG. buffer overflow DoS/DDoS scan spam virus/worm safety warnings Web attack same IP signature ID 422, 431, 433 scanner types signatures schedules anti-virus...
Page 769 Index and address objects and RIP and certificates configuration overview and zones metric client requirements prerequisites encryption methods statistics for secure Telnet anti-virus how connection is established application patrol versions bandwidth with Linux with Microsoft Windows protocol 322, 582 status bar certificates warning message popup computer names...
Page 770 Index task bar properties troubleshooting 641, 645 truncated-address-header ACK (acknowledgment) truncated-header ACK number truncated-options connections truncated-timestamp-header port numbers trunks 176, 215 SYN (synchronize) and ALG window size and policy routes 215, 227 TCP Decoder configuration overview TCP decoy portscan member interface mode TCP distributed portscan member interfaces TCP flag bits...
Page 771 Index user names virtual interfaces 175, 213 rules basic characteristics not DHCP clients user portal types of See SSL user screens. 327, 330 vs asymmetrical routes user portal links vs triangle routes user portal logo Virtual Local Area Network. See VLAN. user sessions.
Page 772 Index and address objects WinPopup window and policy routes 226, 227, 292 WINS 179, 189, 198, 205, 322 VPN gateways L2TP VPN and certificates WINS server 189, 198, 205, 344 and extended authentication Wizard Setup and interfaces worm 399, 424 and to-ZyWALL firewall VPN.

This manual is also suitable for:

Zywall 1050