ZyXEL Communications ZyWALL 5 User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyXEL ZyWALL 5
  6. User manual

ZyXEL Communications ZyWALL 5 User Manual

Internet security appliance
Hide thumbs Also See for ZyWALL 5:
1
2
3
4
5
6
Table Of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
Table of Contents

Advertisement

Quick Links

See also: User Manual
ZyWALL 5
Internet Security Appliance
User's Guide
Version 3.62
June 2004

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWALL 5

Summary of Contents for ZyXEL Communications ZyWALL 5

  • Page 1 ZyWALL 5 Internet Security Appliance User’s Guide Version 3.62 June 2004...

  • Page 2: Copyright

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
  • Page 3 ZyWALL 5 Internet Security Appliance Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.

  • Page 4: Information For Canadian Users

    ZyWALL 5 Internet Security Appliance Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.

  • Page 5: Online Registration

    ZyWALL 5 Internet Security Appliance ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the...

  • Page 6: Customer Support

    ZyWALL 5 Internet Security Appliance Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information.

  • Page 7: Table Of Contents

    List of Tables ............................xxi Preface ..............................xxv Getting Started............................I Chapter 1 Getting to Know Your ZyWALL ................1-1 ZyWALL 5 Internet Security Appliance Overview ............1-1 ZyWALL Features ......................1-1 Applications for the ZyWALL ....................1-6 Chapter 2 Introducing the Web Configurator................2-1 Web Configurator Overview ....................2-1 Accessing the ZyWALL Web Configurator................2-1...
  • Page 8 ZyWALL 5 Internet Security Appliance 6.10 Configuring 802.1X ....................... 6-8 6.11 Authentication Server..................... 6-9 6.12 Configuring Local User Database .................. 6-9 6.13 Configuring RADIUS ....................6-11 WAN and DMZ ........................... III Chapter 7 WAN Screens........................ 7-1 WAN Overview........................7-1 TCP/IP Priority (Metric)..................... 7-1 Configuring Route ......................
  • Page 9 ZyWALL 5 Internet Security Appliance 11.7 Customizing Keyword Blocking URL Checking ............11-13 VPN/IPSec ............................. V Chapter 12 Introduction to IPSec ....................12-1 12.1 VPN Overview......................12-1 12.2 IPSec Architecture ......................12-2 12.3 Encapsulation........................12-3 12.4 IPSec and NAT ......................12-4 Chapter 13 VPN Screens......................13-1 13.1 VPN/IPSec Overview ....................13-1...
  • Page 10 ZyWALL 5 Internet Security Appliance 15.5 Configuring Address Mapping..................15-8 15.6 Configuring Trigger Port.................... 15-10 Chapter 16 Static Route ......................16-1 16.1 Static Route Overview ....................16-1 16.2 Configuring IP Static Route ..................16-1 Bandwidth Management, Remote Management and UPnP ............VIII Chapter 17 Bandwidth Management ..................
  • Page 11 ZyWALL 5 Internet Security Appliance 21.4 Pre-defined NTP Time Servers List................21-4 21.5 Configuring Time and Date ..................21-5 21.6 Configuring Device Mode ....................21-8 21.7 F/W Upload Screen.....................21-10 21.8 Configuration Screen ....................21-13 21.9 Restart Screen ......................21-15 SMT General Configuration.......................XI Chapter 22 Introducing the SMT....................22-1 22.1...
  • Page 12 ZyWALL 5 Internet Security Appliance 29.1 IP Static Route Setup ....................29-1 Chapter 30 Network Address Translation (NAT)..............30-1 30.1 Using NAT ........................30-1 30.2 NAT Setup ........................30-2 30.3 Configuring a Server behind NAT ................30-6 30.4 General NAT Examples ....................30-7 30.5...
  • Page 13 ZyWALL 5 Internet Security Appliance Appendix A Troubleshooting......................A-1 Appendix B Hardware Specifications ..................B-1 General Appendices..........................XVI Appendix C Setting up Your Computer’s IP Address ...............C-1 Appendix D Triangle Route ......................D-1 Appendix E Wireless LAN and IEEE 802.11 ................E-1 Appendix F Wireless LAN With IEEE 802.1x ................F-1 Appendix G Types of EAP Authentication..................G-1...

  • Page 14: List Of Figures

    ZyWALL 5 Internet Security Appliance List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem..........1-6 Figure 1-2 VPN Application ........................ 1-7 Figure 2-1 Change Password Screen ....................2-1 Figure 2-2 Replace Certificate Screen ....................2-2 Figure 2-3 Example Xmodem Upload ....................
  • Page 15 ZyWALL 5 Internet Security Appliance Figure 8-2 IP Alias..........................8-4 Figure 8-3 Port Roles..........................8-5 Figure 8-4 Port Roles Change Complete ....................8-6 Figure 8-5 DMZ Public Address Example ...................8-6 Figure 8-6 DMZ Private and Public Address Example ................8-7 Figure 9-1 ZyWALL Firewall Application ..................9-2 Figure 9-2 Three-Way Handshake......................9-4...
  • Page 16 ZyWALL 5 Internet Security Appliance Figure 14-9 Trusted Remote Hosts ....................14-19 Figure 14-10 Remote Host Certificates ................... 14-20 Figure 14-11 Certificate Details....................... 14-20 Figure 14-12 Trusted Remote Host Import..................14-21 Figure 14-13 Trusted Remote Host Details ..................14-22 Figure 14-14 Directory Servers......................14-24 Figure 14-15 Directory Server Add ....................
  • Page 17 Figure 22-2 Password Screen ......................22-2 Figure 22-3 Main Menu (Router Mode) .....................22-3 Figure 22-4 Main Menu (Bridge Mode) .....................22-3 Figure 22-5 ZyWALL 5 SMT Menu Overview Example ..............22-5 Figure 22-6 Menu 23: System Password ....................22-6 Figure 23-1 Menu 1: General Setup (Router Mode)................23-1 Figure 23-2 Menu 1: General Setup (Bridge Mode)................23-2...
  • Page 18 ZyWALL 5 Internet Security Appliance Figure 25-5 Menu 3.2.1: IP Alias Setup .................... 25-4 Figure 25-6 Menu 3.5: Wireless LAN Setup ..................25-5 Figure 25-7 Menu 3.5.1: WLAN MAC Address Filter..............25-7 Figure 26-1 Menu 4: Internet Access Setup (Ethernet) ..............26-1 Figure 26-2 Internet Access Setup (PPTP) ..................
  • Page 19 ZyWALL 5 Internet Security Appliance Figure 32-7 Menu 21.1.4.1: Generic Filter Rule ................32-8 Figure 32-8 Telnet Filter Example......................32-9 Figure 32-9 Example Filter: Menu 21.1.3.1 ..................32-10 Figure 32-10 Example Filter Rules Summary: Menu 21.1.3............32-10 Figure 32-11 Protocol and Device Filter Sets...................32-11 Figure 32-12 Filtering LAN Traffic....................32-12...
  • Page 20 ZyWALL 5 Internet Security Appliance Figure 39-1 VPN SMT Menu Tree ....................39-1 Figure 39-2 Menu 27: VPN/IPSec Setup................... 39-1 Figure 39-3 Menu 27.1: IPSec Summary................... 39-2 Figure 39-4 Menu 27.1.1: IPSec Setup ....................39-4 Figure 39-5 ..................... 39-9 Menu 27.1.1.1: IKE Setup Figure 39-6 Menu 27.1.1.2: Manual Setup ..................
  • Page 21 ZyWALL 5 Internet Security Appliance List of Tables Table 2-1 Web Configurator HOME Screen in Router Mode ..............2-4 Table 2-2 Web Configurator HOME Screen in Bridge Mode ..............2-6 Table 2-3 Feature Comparison ......................2-7 Table 2-4 Screens Summary .........................2-8 Table 2-5 Home : Show Statistics.......................2-10 Table 2-6 Home : DHCP Table ......................2-11...
  • Page 22 ZyWALL 5 Internet Security Appliance Table 10-6 Predefined Services ....................... 10-15 Table 10-7 Anti-Probing ........................10-18 Table 10-8 Firewall Threshold......................10-20 Table 11-1 Content Filter : General ....................11-2 Table 11-2 Content Filter : Categories....................11-5 Table 11-3 Content Filter : Customization ..................11-12 Table 12-1 VPN and NAT .........................
  • Page 23 ZyWALL 5 Internet Security Appliance Table 18-4 FTP ..........................18-15 Table 18-5 SNMP Traps ........................18-17 Table 18-6 SNMP ..........................18-18 Table 18-7 DNS..........................18-19 Table 19-1 Configuring UPnP ......................19-2 Table 19-2 UPnP Ports ........................19-3 Table 20-1 View Log..........................20-1 Table 20-2 Example Log Description....................20-2 Table 20-3 Log Settings........................20-4...
  • Page 24 ZyWALL 5 Internet Security Appliance Table 30-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set........30-6 Table 30-5 Menu 15.3: Trigger Port Setup ..................30-14 Table 32-1 Abbreviations Used in the Filter Rules Summary Menu..........32-3 Table 32-2 Rule Abbreviations Used....................32-4 Table 32-3 Menu 21.1.1.1: TCP/IP Filter Rule..................

  • Page 25: Preface

    Preface About This User's Manual Congratulations on your purchase of the ZyWALL 5 Internet Security Appliance. This manual is designed to guide you through the configuration of your ZyWALL for its various applications. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your ZyWALL.

  • Page 26: Syntax Conventions

    ZyWALL 5 Internet Security Appliance Syntax Conventions • The version number on the title page is the latest firmware version that is documented in this User’s Guide. Earlier versions may also be included. • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose”...

  • Page 27: Getting Started

    Getting Started Getting Started This part helps you get to know your ZyWALL, introduces the web configurator and covers how to configure the Wizard Setup screens.

  • Page 29: Chapter 1 Getting To Know Your Zywall

    Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL 5 Internet Security Appliance Overview The ZyWALL5 is the ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall, content filtering, certificates and VPN capability, ZyXEL’s ZyWALL is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

  • Page 30: Reset Button

    ZyWALL 5 Internet Security Appliance Auto-negotiating 10/100 Mbps Ethernet WAN The 10/100 Mbps Ethernet WAN ports attach to the Internet via broadband modem or router. Auto-crossover 10/100 Mbps Ethernet WAN The WAN interface automatically adjusts to either a crossover or straight-through Ethernet cable.
  • Page 31 ZyWALL 5 Internet Security Appliance to-site lines. The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products. X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a username and password.

  • Page 32: Packet Filtering

    ZyWALL 5 Internet Security Appliance Wireless LAN MAC Address Filtering Your ZyWALL can check the MAC addresses of wireless stations against a list of allowed or denied MAC addresses. WEP Encryption WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

  • Page 33: Applications For The Zywall

    ZyWALL 5 Internet Security Appliance Network Address Translation (NAT) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).

  • Page 34: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem

    ZyWALL 5 Internet Security Appliance 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.

  • Page 35: Chapter 2 Introducing The Web Configurator

    ZyWALL 5 Internet Security Appliance Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. Web Configurator Overview The embedded web configurator (ewc) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.

  • Page 36: Resetting The Zywall

    ZyWALL 5 Internet Security Appliance Figure 2-2 Replace Certificate Screen You should now see the HOME screen (see Figure 2-4). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you.

  • Page 37: Navigating The Zywall Web Configurator

    ZyWALL 5 Internet Security Appliance Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. This is an example Xmodem configuration upload using HyperTerminal.

  • Page 38: Figure 2-4 Web Configurator Home Screen In Router Mode

    ZyWALL 5 Internet Security Appliance Use submenus to configure ZyWALL features. Click LOGOUT at any time to exit the web configurator. Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/firmware files. Maintenance includes General, Password, Time and Date, Device Mode, F/W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart.
  • Page 39 ZyWALL 5 Internet Security Appliance Table 2-1 Web Configurator HOME Screen in Router Mode LABEL DESCRIPTION Firewall This displays whether or not the ZyWALL’s firewall is activated. Current Time This field displays your ZyWALL’s present time. Current Date This field displays your ZyWALL’s present date.

  • Page 40: Figure 2-5 Web Configurator Home Screen In Bridge Mode

    ZyWALL 5 Internet Security Appliance Figure 2-5 Web Configurator HOME Screen in Bridge Mode The following table describes the labels not previously discussed (see Table 2-1). Table 2-2 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Network Status IP Address This is the IP address of your ZyWALL in dotted decimal notation.

  • Page 41: Table 2-3 Feature Comparison

    ZyWALL 5 Internet Security Appliance Table 2-2 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU) from the root bridge. Forward Delay This is the forward delay interval.

  • Page 42: Table 2-4 Screens Summary

    ZyWALL 5 Internet Security Appliance Table 2-3 Feature Comparison FEATURE BRIDGE MODE ROUTER MODE Bandwidth Management Remote Management UPnP Logs Maintenance Table Key: An “O” in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
  • Page 43 ZyWALL 5 Internet Security Appliance Table 2-4 Screens Summary LINK FUNCTION Anti-Probing Use this screen to change your anti-probing settings. Threshold Use this screen to configure the threshold for DoS attacks. CONTENT FILTER General This screen allows you to enable content filtering and block certain web features.

  • Page 44: Figure 2-6 Home : Show Statistics

    ZyWALL 5 Internet Security Appliance Table 2-4 Screens Summary LINK FUNCTION Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. LOGS View Log Use this screen to view the logs for the categories that you selected.

  • Page 45: Figure 2-7 Home : Dhcp Table

    ZyWALL 5 Internet Security Appliance Table 2-5 Home : Show Statistics LABEL DESCRIPTION TxPkts This is the number of transmitted packets on this port. RxPkts This is the number of received packets on this port. Collisions This is the number of collisions on this port.

  • Page 46: Figure 2-8 Home : Vpn Status

    ZyWALL 5 Internet Security Appliance Table 2-6 Home : DHCP Table LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory.
  • Page 47 ZyWALL 5 Internet Security Appliance Table 2-7 Home : VPN Status LABEL DESCRIPTION Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s) field. Stop Click Stop to stop refreshing statistics. Introducing the Web Configurator...

  • Page 49: Chapter 3 Wizard Setup

    ZyWALL 5 Internet Security Appliance Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. This chapter is only applicable when the ZyWALL is in router mode. Wizard Setup Overview The web configurator’s setup wizards help you configure the ZyWALL to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.

  • Page 50: Table 3-1 Isp Parameters : Ethernet Encapsulation

    ZyWALL 5 Internet Security Appliance Table 3-1 ISP Parameters : Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.

  • Page 51: Figure 3-2 Isp Parameters : Pppoe Encapsulation

    ZyWALL 5 Internet Security Appliance Figure 3-2 ISP Parameters : PPPoE Encapsulation The following table describes the labels in this screen. Table 3-2 ISP Parameters : PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection.

  • Page 52: Figure 3-3 Isp Parameters : Pptp Encapsulation

    ZyWALL 5 Internet Security Appliance The ZYWALL supports one PPTP server connection at any given time. Figure 3-3 ISP Parameters : PPTP Encapsulation The following table describes the labels in this screen. Table 3-3 ISP Parameters : PPTP Encapsulation LABEL...

  • Page 53: Table 3-4 Private Ip Address Ranges

    ZyWALL 5 Internet Security Appliance 3.2.2 WAN and DNS The second wizard screen allows you to configure WAN IP address assignment, DNS server address assignment and the WAN MAC address. WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems.

  • Page 54: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses

    ZyWALL 5 Internet Security Appliance The subnet mask specifies the network number portion of an IP address. Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise.

  • Page 55: Figure 3-4 Wan And Dns

    ZyWALL 5 Internet Security Appliance Figure 3-4 WAN and DNS The following table describes the labels in this screen. Table 3-6 WAN and DNS LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.

  • Page 56: Figure 3-5 Internet Access Wizard Setup Complete

    ZyWALL 5 Internet Security Appliance Table 3-6 WAN and DNS LABEL DESCRIPTION First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The field to the right displays the (read-only) DNS Second DNS Server server IP address that the ISP assigns.

  • Page 57: Vpn Overview

    ZyWALL 5 Internet Security Appliance VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

  • Page 58: Figure 3-6 Vpn Wizard : Gateway Setting

    ZyWALL 5 Internet Security Appliance Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network.

  • Page 59: Figure 3-7 Vpn Wizard : Network Setting

    ZyWALL 5 Internet Security Appliance Figure 3-7 VPN Wizard : Network Setting The following table describes the labels in this screen. Table 3-8 VPN Wizard : Network Setting LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.

  • Page 60: Figure 3-8 Two Phases To Set Up The Ipsec Sa

    ZyWALL 5 Internet Security Appliance Table 3-8 VPN Wizard : Network Setting LABEL DESCRIPTION Back Click Back to return to the previous screen. Next Click Next to continue. 3.4.4 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).

  • Page 61: Ipsec Algorithms

    ZyWALL 5 Internet Security Appliance if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic.

  • Page 62: Table 3-9 Ah And Esp

    ZyWALL 5 Internet Security Appliance 3.5.1 AH (Authentication Header) Protocol AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed. In applications where confidentiality is not required or not sanctioned by government encryption restrictions, an AH can be employed to ensure integrity.

  • Page 63: Figure 3-9 Vpn Wizard : Ike Tunnel Setting

    ZyWALL 5 Internet Security Appliance 3.5.3 IKE Tunnel Setting (IKE Phase 1) Figure 3-9 VPN Wizard : IKE Tunnel Setting The following table describes the labels in this screen. Table 3-10 VPN Wizard : IKE Tunnel Setting LABEL DESCRIPTION Use the radio buttons to select Main Mode or Aggressive Mode. Multiple SAs Negotiation Mode connecting through a secure gateway must have the same negotiation mode.

  • Page 64: Figure 3-10 Vpn Wizard : Ipsec Setting

    ZyWALL 5 Internet Security Appliance Table 3-10 VPN Wizard : IKE Tunnel Setting LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
  • Page 65 ZyWALL 5 Internet Security Appliance Table 3-11 VPN Wizard : IPSec Setting LABEL DESCRIPTION Encryption Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 66: Figure 3-11 Vpn Wizard : Vpn Status

    ZyWALL 5 Internet Security Appliance Figure 3-11 VPN Wizard : VPN Status The following table describes the labels in this screen. Table 3-12 VPN Wizard : VPN Status LABEL DESCRIPTION Gateway Setting My IP Address This is the WAN IP address of your ZyWALL.

  • Page 67: Vpn Wizard Setup Complete

    ZyWALL 5 Internet Security Appliance Table 3-12 VPN Wizard : VPN Status LABEL DESCRIPTION Ending IP When the remote network is configured for a single IP address, this field is N/A. When Address/Subnet Mask the remote network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router.

  • Page 68: Figure 3-12 Vpn Wizard Setup Complete

    ZyWALL 5 Internet Security Appliance Figure 3-12 VPN Wizard Setup Complete 3-20 Wizard Setup...

  • Page 69: Lan, Bridge, Wireless Lan And Authentication Server

    LAN, Bridge, Wireless LAN and Authentication Server LAN, Bridge, Wireless LAN and Authentication Server This part covers configuration of the LAN, Bridge, wireless LAN and Authentication Server screens.

  • Page 71: Chapter 4 Lan Screens

    ZyWALL 5 Internet Security Appliance Chapter 4 LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached.

  • Page 72: Ip Address And Subnet Mask

    ZyWALL 5 Internet Security Appliance IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 128 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured.

  • Page 73: Configuring Lan

    ZyWALL 5 Internet Security Appliance Configuring LAN Click LAN to open the LAN screen. Figure 4-1 LAN The following table describes the labels in this screen. Table 4-1 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
  • Page 74 ZyWALL 5 Internet Security Appliance Table 4-1 LAN LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

  • Page 75: Configuring Static Dhcp

    ZyWALL 5 Internet Security Appliance Table 4-1 LAN LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.

  • Page 76: Configuring Ip Alias

    ZyWALL 5 Internet Security Appliance Figure 4-2 Static DHCP The following table describes the labels in this screen. Table 4-2 Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN.

  • Page 77: Figure 4-5 Ip Alias

    ZyWALL 5 Internet Security Appliance Figure 4-3 Physical Network Figure 4-4 Partitioned Logical Networks To change your ZyWALL’s IP alias settings, click LAN, then the IP Alias tab. The screen appears as shown. Figure 4-5 IP Alias The following table describes the labels in this screen.

  • Page 78: Configuring Port Roles

    ZyWALL 5 Internet Security Appliance Table 4-3 IP Alias LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.

  • Page 79: Figure 4-6 Port Roles

    ZyWALL 5 Internet Security Appliance Figure 4-6 Port Roles After you change the LAN/DMZ port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 4-7 Port Roles Change Complete...

  • Page 81: Chapter 5 Bridge Screens

    ZyWALL 5 Internet Security Appliance Chapter 5 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers.

  • Page 82: Table 5-1 Stp Path Costs

    ZyWALL 5 Internet Security Appliance 5.2.2 STP Terminology The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address). Path cost is the cost of transmitting a frame from the root bridge to that port. It is assigned according to the speed of the link to which a port is attached.

  • Page 83: Configuring Bridge

    ZyWALL 5 Internet Security Appliance Table 5-2 STP Port States PORT STATE DESCRIPTION Learning All BPDUs are received and processed. Information frames are submitted to the learning process but not forwarded. Forwarding All BPDUs are received and processed. All information frames are received and forwarded.

  • Page 84: Configuring Port Roles

    ZyWALL 5 Internet Security Appliance Table 5-3 Bridge LABEL DESCRIPTION Gateway IP Address Enter the gateway IP address. Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL.

  • Page 85: Chapter 6 Wireless Lan And Authentication Server

    ZyWALL 5 Internet Security Appliance Chapter 6 Wireless LAN and Authentication Server This chapter discusses how to configure Wireless LAN and Auth Server on the ZyWALL. Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios.

  • Page 86: Wireless Security

    ZyWALL 5 Internet Security Appliance Figure 6-1 RTS Threshold When station A sends data to the ZyWALL, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

  • Page 87: Inserting A Pcmcia/Cardbus Wireless Lan Card

    ZyWALL 5 Internet Security Appliance The figure below shows the possible wireless security levels on your ZyWALL. EAP (Extensible Authentication Protocol) is used for authentication and utilizes dynamic WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.

  • Page 88: Configuring Wireless Lan

    ZyWALL 5 Internet Security Appliance Configuring Wireless LAN If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm.

  • Page 89: Configuring Mac Filter

    ZyWALL 5 Internet Security Appliance Table 6-1 Wireless LABEL DESCRIPTION ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.

  • Page 90: Figure 6-4 Mac Address Filter

    ZyWALL 5 Internet Security Appliance To change your ZyWALL’s MAC filter settings, click WIRELESS LAN, then the MAC Filter tab. The screen appears as shown. Figure 6-4 MAC Address Filter The following table describes the labels in this menu. Table 6-2 MAC Address Filter...

  • Page 91: Overview

    ZyWALL 5 Internet Security Appliance 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.

  • Page 92: Introduction To Local User Database

    ZyWALL 5 Internet Security Appliance In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

  • Page 93: Authentication Server

    ZyWALL 5 Internet Security Appliance Figure 6-6 802.1X Authentication The following table describes the labels in this screen. Table 6-3 802.1X Authentication LABEL DESCRIPTION Authentication Select Authentication Required, No Access or No Authentication Required from the Type drop-down list box.

  • Page 94: Figure 6-7 Local User Database

    ZyWALL 5 Internet Security Appliance Figure 6-7 Local User Database The following table describes the labels in this screen. Table 6-4 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile.

  • Page 95: Configuring Radius

    ZyWALL 5 Internet Security Appliance Table 6-4 Local User Database LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. 6.13 Configuring RADIUS Use RADIUS if you want to authenticate wireless users using an external server. To set up your ZyWALL’s RADIUS Server settings, click AUTH SERVER, then the RADIUS tab.
  • Page 96 ZyWALL 5 Internet Security Appliance Table 6-5 RADIUS LABEL DESCRIPTION Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.

  • Page 97: Wan And Dmz

    WAN and DMZ WAN and DMZ This part covers configuration of the WAN and DMZ screens.

  • Page 99: Chapter 7 Wan Screens

    ZyWALL 5 Internet Security Appliance Chapter 7 WAN Screens This chapter describes how to configure WAN settings. WAN Overview See the Wizard Setup chapter for more information on the fields in the WAN screens. TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".

  • Page 100: Configuring Wan Setup

    ZyWALL 5 Internet Security Appliance Figure 7-1 Route The following table describes the labels in this screen. Table 7-1 Route LABEL DESCRIPTION Route Priority The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN. The default priority of the routes...

  • Page 101: Figure 7-2 Ethernet Encapsulation

    ZyWALL 5 Internet Security Appliance Figure 7-2 Ethernet Encapsulation The following table describes the labels in this screen. Table 7-2 Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
  • Page 102 ZyWALL 5 Internet Security Appliance Table 7-2 Ethernet Encapsulation LABEL DESCRIPTION Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR- Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login. The following fields do not appear with the Standard service type.
  • Page 103 ZyWALL 5 Internet Security Appliance Table 7-2 Ethernet Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.

  • Page 104: Pppoe Encapsulation

    ZyWALL 5 Internet Security Appliance Table 7-2 Ethernet Encapsulation LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN and LAN WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.

  • Page 105: Figure 7-3 Pppoe Encapsulation

    ZyWALL 5 Internet Security Appliance Figure 7-3 PPPoE Encapsulation The following table describes the labels not previously discussed. Table 7-3 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access WAN Screens...

  • Page 106: Pptp Encapsulation

    ZyWALL 5 Internet Security Appliance Table 7-3 PPPoE Encapsulation LABEL DESCRIPTION Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e. DSL, cable, wireless, etc.) connection.

  • Page 107: Figure 7-4 Pptp Encapsulation

    ZyWALL 5 Internet Security Appliance Figure 7-4 PPTP Encapsulation The following table describes the labels not previously discussed. Table 7-4 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access WAN Screens...

  • Page 108: Traffic Redirect

    ZyWALL 5 Internet Security Appliance Table 7-4 PPTP Encapsulation LABEL DESCRIPTION Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi- protocol, and virtual private networking over public networks, such as the Internet.

  • Page 109: Configuring Traffic Redirect

    ZyWALL 5 Internet Security Appliance Figure 7-6 Traffic Redirect LAN Setup Configuring Traffic Redirect To change your ZyWALL’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. Figure 7-7 Traffic Redirect The following table describes the labels in this screen.

  • Page 110: Configuring Dial Backup

    ZyWALL 5 Internet Security Appliance Table 7-5 Traffic Redirect LABEL DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...

  • Page 111: Figure 7-8 Dial Backup Setup

    ZyWALL 5 Internet Security Appliance Figure 7-8 Dial Backup Setup The following table describes the labels in this screen. WAN Screens 7-13...

  • Page 112: Table 7-6 Dial Backup Setup

    ZyWALL 5 Internet Security Appliance Table 7-6 Dial Backup Setup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP.
  • Page 113 ZyWALL 5 Internet Security Appliance Table 7-6 Dial Backup Setup LABEL DESCRIPTION Enable SUA Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server.

  • Page 114: Advanced Modem Setup

    ZyWALL 5 Internet Security Appliance Table 7-6 Dial Backup Setup LABEL DESCRIPTION Allocated Budget Type the amount of time (in minutes) that the dial backup connection can be used during the time configured in the Period field. Set an amount that is less than the time period configured in the Period field.

  • Page 115: Figure 7-9 Advanced Setup

    ZyWALL 5 Internet Security Appliance Figure 7-9 Advanced Setup The following table describes the labels in this screen. Table 7-7 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call.

  • Page 116: Dynamic Dns

    ZyWALL 5 Internet Security Appliance Table 7-7 Advanced Setup LABEL DESCRIPTION EXAMPLE Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.

  • Page 117: Figure 7-10 Ddns

    ZyWALL 5 Internet Security Appliance Figure 7-10 DDNS The following table describes the labels in this screen. Table 7-8 DDNS LABEL DESCRIPTION Basic Settings Enable DDNS Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider.
  • Page 118 ZyWALL 5 Internet Security Appliance Table 7-8 DDNS LABEL DESCRIPTION DDNS server auto Only select this option when there are one or more NAT routers between the ZyWALL detect IP Address and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.

  • Page 119: Chapter 8 Dmz Screens

    ZyWALL 5 Internet Security Appliance Chapter 8 DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. DMZ Overview The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).

  • Page 120: Figure 8-1 Dmz

    ZyWALL 5 Internet Security Appliance Figure 8-1 DMZ The following table describes the labels in this screen. Table 8-1 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Make sure the IP addresses of the LAN, WAN and DMZ are on separate subnets.

  • Page 121: Configuring Ip Alias

    ZyWALL 5 Internet Security Appliance Table 8-1 DMZ LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

  • Page 122: Figure 8-2 Ip Alias

    ZyWALL 5 Internet Security Appliance Figure 8-2 IP Alias The following table describes the labels in this screen. Table 8-2 IP Alias LABEL DESCRIPTION Enable IP Alias 1,2 Select the check box to configure another DMZ network for the ZyWALL.

  • Page 123: Configuring Port Roles

    ZyWALL 5 Internet Security Appliance Table 8-2 IP Alias LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.

  • Page 124: Dmz Public Ip Address Example

    ZyWALL 5 Internet Security Appliance Figure 8-4 Port Roles Change Complete DMZ Public IP Address Example The following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN. Lower case letters represent public IP addresses (like a.b.c.d for example).

  • Page 125: Figure 8-6 Dmz Private And Public Address Example

    ZyWALL 5 Internet Security Appliance Configure both DMZ and DMZ IP alias to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. Figure 8-6 DMZ Private and Public Address Example DMZ Screens...

  • Page 127: Firewall And Content Filtering

    Firewall and Content Filtering Firewall and Content Filtering This part introduces firewalls in general and the ZyWALL firewall. It also explains how to configure the ZyWALL firewall and content filtering.

  • Page 129: Chapter 9 Firewalls

    ZyWALL 5 Internet Security Appliance Chapter 9 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.

  • Page 130: Introduction To Zyxel's Firewall

    ZyWALL 5 Internet Security Appliance 9.2.3 Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency;...

  • Page 131: Denial Of Service

    ZyWALL 5 Internet Security Appliance Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

  • Page 132: Figure 9-2 Three-Way Handshake

    ZyWALL 5 Internet Security Appliance 2. Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These attacks are executed during the handshake that initiates a communication session between two applications. Figure 9-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.

  • Page 133: Figure 9-4 Smurf Attack

    ZyWALL 5 Internet Security Appliance (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the "intermediary"...

  • Page 134: Stateful Inspection

    ZyWALL 5 Internet Security Appliance Table 9-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
  • Page 135 ZyWALL 5 Internet Security Appliance 9.5.1 Stateful Inspection Process In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application layer protocol is configured for a firewall rule inspection: 1.
  • Page 136 ZyWALL 5 Internet Security Appliance The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.

  • Page 137: Guidelines For Enhancing Security With Your Firewall

    ZyWALL 5 Internet Security Appliance commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected.
  • Page 138 ZyWALL 5 Internet Security Appliance 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot distinguish traffic originating from an inside host or an outside host by IP address.

  • Page 139: Chapter 10 Firewall Screens

    ZyWALL 5 Internet Security Appliance Chapter 10 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 10.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.

  • Page 140: Rule Logic Overview

    ZyWALL 5 Internet Security Appliance • DMZ to DMZ/ZyWALL This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.

  • Page 141: Connection Direction Examples

    ZyWALL 5 Internet Security Appliance 1. Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2. Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3.

  • Page 142: Alerts

    ZyWALL 5 Internet Security Appliance Figure 10-1 LAN to WAN Traffic 10.4.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.

  • Page 143: Figure 10-3 Default Rule (Router Mode)

    ZyWALL 5 Internet Security Appliance Figure 10-3 Default Rule (Router Mode) The following table describes the labels in this screen. Table 10-1 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.

  • Page 144: Figure 10-4 Default Rule (Bridge Mode)

    ZyWALL 5 Internet Security Appliance Figure 10-4 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 10-2 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.

  • Page 145: Figure 10-5 Rule Summary

    ZyWALL 5 Internet Security Appliance 10.6.1 Rule Summary The ordering of your rules is very important as rules are applied in turn. Click FIREWALL, then the Rule Summary tab to open the screen. Figure 10-5 Rule Summary The following table describes the labels in this screen.

  • Page 146: Configuring Firewall Rules

    ZyWALL 5 Internet Security Appliance Table 10-3 Rule Summary LABEL DESCRIPTION Source Address This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.

  • Page 147: Figure 10-6 Creating/Editing A Firewall Rule

    ZyWALL 5 Internet Security Appliance Figure 10-6 Creating/Editing A Firewall Rule The following table describes the labels in this screen. Firewall Screens 10-9...

  • Page 148: Table 10-4 Creating/Editing A Firewall Rule

    ZyWALL 5 Internet Security Appliance Table 10-4 Creating/Editing A Firewall Rule LABEL DESCRIPTION Edit Source/Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.

  • Page 149: Example Firewall Rule

    ZyWALL 5 Internet Security Appliance 10.6.3 Configuring Custom Services Configure customized ports for services not predefined by the ZyWALL (see section 10.8 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.

  • Page 150: Figure 10-8 Rule Summary

    ZyWALL 5 Internet Security Appliance Select WAN to LAN from the drop-down list box. Figure 10-8 Rule Summary In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

  • Page 151: Figure 10-10 Edit Custom Service Example

    ZyWALL 5 Internet Security Appliance In the Edit Rule screen, click Add under Custom Service to open the Edit Custom Service screen. Configure it as follows and click Apply. Figure 10-10 Edit Custom Service Example In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.

  • Page 152: Figure 10-11 My Service Rule Configuration

    ZyWALL 5 Internet Security Appliance This is the address range of the “My Service” servers. This is your “My Service” custom service. Click Apply when finished. Figure 10-11 My Service Rule Configuration On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following.

  • Page 153: Predefined Services

    ZyWALL 5 Internet Security Appliance Rule 1: Allows a “My Service” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 10-12 My Service Example Rule Summary 10.8 Predefined Services The Available Services list box in the Edit Rule screen (see Figure 10-6) displays all predefined services that the ZyWALL already supports.
  • Page 154 ZyWALL 5 Internet Security Appliance Table 10-6 Predefined Services SERVICE DESCRIPTION H.323(TCP:1720) NetMeeting uses this protocol. HTTP(TCP:80) Hyper Text Transfer Protocol – a client/server protocol for the world wide web. HTTPS(TCP:443) HTTPS is a secured http session often used in e-commerce.

  • Page 155: Anti-Probing

    ZyWALL 5 Internet Security Appliance Table 10-6 Predefined Services SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Network Management Program.

  • Page 156: Configuring Attack Alert

    ZyWALL 5 Internet Security Appliance Figure 10-13 Anti-Probing The following table describes the labels in this screen. Table 10-7 Anti-Probing LABEL DESCRIPTION Respond to PING The ZyWALL does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests.

  • Page 157: Threshold Values

    ZyWALL 5 Internet Security Appliance 10.10.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1.

  • Page 158: Figure 10-14 Firewall Threshold

    ZyWALL 5 Internet Security Appliance The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click the FIREWALL link and then the Threshold tab to bring up the next screen.
  • Page 159 ZyWALL 5 Internet Security Appliance Table 10-8 Firewall Threshold LABEL DESCRIPTION Maximum This is the number of existing half-open sessions that causes the firewall to start Incomplete High deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection requests.

  • Page 161: Chapter 11 Content Filtering Screens

    ZyWALL 5 Internet Security Appliance Chapter 11 Content Filtering Screens This chapter provides an overview of content filtering. 11.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or restrict specific websites. With content filtering, you can do the following: 11.1.1 Restrict Web Features...

  • Page 162: Figure 11-1 Content Filter : General

    ZyWALL 5 Internet Security Appliance Figure 11-1 Content Filter : General The following table describes the labels in this screen. Table 11-1 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter.
  • Page 163 ZyWALL 5 Internet Security Appliance Table 11-1 Content Filter : General LABEL DESCRIPTION Java Java is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds. The ZyWALL allows access to the web site where you register for content filtering even if you block Java applets.

  • Page 164: Content Filtering With An External Server

    ZyWALL 5 Internet Security Appliance 11.3 Content Filtering with an External Server Your ZyWALL uses an application services company that provides outsourced content filtering. If you enable the content filter, your ZyWALL will have access to an external database, which contains dynamically updated ratings of millions of web sites.

  • Page 165: Configuring For Registering And Categories

    ZyWALL 5 Internet Security Appliance 11.5 Configuring for Registering and Categories To register for and configure category-based content filtering, click CONTENT FILTER, and then the Categories tab. The screen appears as shown. Figure 11-3 Content Filter : Categories The following table describes the labels in this screen.
  • Page 166 ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION Matched Web Pages Select Block to prevent users from accessing web pages that match the categories that you select below. When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
  • Page 167 ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION Nudity Selecting this category excludes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
  • Page 168 ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
  • Page 169 ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
  • Page 170 ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.

  • Page 171: Configuring Customization

    ZyWALL 5 Internet Security Appliance Table 11-2 Content Filter : Categories LABEL DESCRIPTION Register Click Register to go to a web site where you can register for category-based content filtering (using an external database). You can use a trial application or register your iCard’s PIN.

  • Page 172: Figure 11-4 Content Filter : Customization

    ZyWALL 5 Internet Security Appliance Figure 11-4 Content Filter : Customization The following table describes the labels in this screen. Table 11-3 Content Filter : Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow Trusted Domain web sites and block customization Forbidden Domain web sites.

  • Page 173: Customizing Keyword Blocking Url Checking

    ZyWALL 5 Internet Security Appliance Table 11-3 Content Filter : Customization LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries.
  • Page 174 ZyWALL 5 Internet Security Appliance 11.7.1 Domain Name or IP Address URL Checking By default, the ZyWALL only checks the URL’s domain name or IP address when performing keyword blocking. This means that the ZyWALL checks the characters that come before the first slash in the URL.

  • Page 175: Vpn/Ipsec

    VPN/IPSec VPN/IPSec This part provides information on how to configure VPN/IPSec.

  • Page 177: Chapter 12 Introduction To Ipsec

    ZyWALL 5 Internet Security Appliance Chapter 12 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. This chapter is only applicable when the ZyWALL is in router mode. 12.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines.

  • Page 178: Ipsec Architecture

    ZyWALL 5 Internet Security Appliance Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service.

  • Page 179: Encapsulation

    ZyWALL 5 Internet Security Appliance 12.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard) and Triple DES algorithms.

  • Page 180: Ipsec And Nat

    ZyWALL 5 Internet Security Appliance Outside header: The outside IP header contains the destination IP address of the VPN gateway. Inside header: The inside IP header contains the destination IP address of the final system behind the VPN gateway. The security protocol appears after the outer IP header and before the inside IP header.

  • Page 181: Chapter 13 Vpn Screens

    ZyWALL 5 Internet Security Appliance Chapter 13 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 13.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.

  • Page 182: My Ip Address

    ZyWALL 5 Internet Security Appliance Table 13-1 AH and ESP Advanced Encryption Standard is a newer method of data encryption that also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.

  • Page 183: Summary Screen

    ZyWALL 5 Internet Security Appliance 13.5 Summary Screen The following figure helps explain the main fields in the web configurator. Figure 13-1 IPSec Summary Fields Local and remote IP addresses must be static. Click VPN to open the VPN Rules screen. This is a read-only menu of your IPSec rules (tunnels).

  • Page 184: Keep Alive

    ZyWALL 5 Internet Security Appliance Table 13-2 VPN Rules LABEL DESCRIPTION Local IP Address This is the IP address(es) of computer(s) on your local network behind your ZyWALL. The same (static) IP address is displayed twice when the Local Address Type field in the Edit VPN Rule (or Manual Key) screen is configured to Single Address.

  • Page 185: Nat Traversal

    ZyWALL 5 Internet Security Appliance When there is outbound traffic with no inbound traffic, the ZyWALL automatically drops the tunnel after two minutes. 13.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.

  • Page 186: Id Type And Content

    ZyWALL 5 Internet Security Appliance 13.7.3 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from...

  • Page 187: Table 13-3 Local Id Type And Content Fields

    ZyWALL 5 Internet Security Appliance that connect from remote IPSec routers that have dynamic WAN IP addresses. The ZyWALL can distinguish up to 12 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see section 13.10).

  • Page 188: Pre-Shared Key

    ZyWALL 5 Internet Security Appliance The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.

  • Page 189: Figure 13-5 Edit Vpn Rule

    ZyWALL 5 Internet Security Appliance Figure 13-5 Edit VPN Rule The following table describes the labels in this screen. VPN Screens 13-9...

  • Page 190: Table 13-7 Edit Vpn Rule

    ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION Property Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Select this check box to turn on the keep alive feature for this SA.
  • Page 191 ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION User Name Enter a user name for your ZyWALL to be authenticated by the VPN peer (in server mode). The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
  • Page 192 ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION Ending IP Address/ When the Address Type field is configured to Single Address, this field is N/A. When Subnet Mask the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
  • Page 193 ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
  • Page 194 ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.

  • Page 195: Ike Phases

    ZyWALL 5 Internet Security Appliance Table 13-7 Edit VPN Rule LABEL DESCRIPTION Cancel Click Cancel to exit this screen without saving. 13.11 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.

  • Page 196: Configuring Advanced Vpn Rule

    ZyWALL 5 Internet Security Appliance even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic. 13.11.1 X-Auth and IKE X-Auth (Extended Authentication) inserts a new exchange between IKE phases 1 and 2 for client authentication.

  • Page 197: Figure 13-7 Edit Vpn Rule: Advanced

    ZyWALL 5 Internet Security Appliance Figure 13-7 Edit VPN Rule: Advanced The following table describes the labels in this screen. Table 13-8 Edit VPN Rule: Advanced LABEL DESCRIPTION Phase 1 Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
  • Page 198 ZyWALL 5 Internet Security Appliance Table 13-8 Edit VPN Rule: Advanced LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It may (Seconds) range from 180 to 3,000,000 seconds (almost 35 days).

  • Page 199: Manual Key Setup

    ZyWALL 5 Internet Security Appliance Table 13-8 Edit VPN Rule: Advanced LABEL DESCRIPTION Type a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Local Port Start is left at 0, Local Port End will also remain at 0.

  • Page 200: Figure 13-8 Vpn Manual Setup

    ZyWALL 5 Internet Security Appliance Figure 13-8 VPN Manual Setup The following table describes the labels in this screen. Table 13-9 VPN Manual Setup LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
  • Page 201 ZyWALL 5 Internet Security Appliance Table 13-9 VPN Manual Setup LABEL DESCRIPTION DNS Server (for If there is a private DNS server that services the VPN, type its IP address here. The IPSec VPN) ZyWALL assigns this additional DNS server to the ZyWALL's DHCP clients that have IP addresses in this IPSec rule's range of local addresses.
  • Page 202 ZyWALL 5 Internet Security Appliance Table 13-9 VPN Manual Setup LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.

  • Page 203: Viewing Sa Monitor

    ZyWALL 5 Internet Security Appliance Table 13-9 VPN Manual Setup LABEL DESCRIPTION Cancel Click Cancel to exit this screen without saving. 13.15 Viewing SA Monitor In the web configurator, click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections.

  • Page 204: Configuring Global Setting

    ZyWALL 5 Internet Security Appliance Table 13-10 SA Monitor LABEL DESCRIPTION Previous Page Click Previous Page to view more items in the summary. (if applicable) Next Page Click Next Page to view more items in the summary. (If applicable) 13.16 Configuring Global Setting To change your ZyWALL’s global settings, click VPN, then the Global Setting tab.

  • Page 205: Figure 13-11 Telecommuters Sharing One Vpn Rule Example

    ZyWALL 5 Internet Security Appliance of their IPSec routers. The telecommuters must all use the same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap. Figure 13-11 Telecommuters Sharing One VPN Rule Example Table 13-12 Telecommuters Sharing One VPN Rule Example...

  • Page 206: Figure 13-12 Telecommuters Using Unique Vpn Rules Example

    ZyWALL 5 Internet Security Appliance Figure 13-12 Telecommuters Using Unique VPN Rules Example Table 13-13 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My IP Address 0.0.0.0 My IP Address: bigcompanyhq.com Secure Gateway Address: bigcompanyhq.com Local IP Address: 192.168.1.10...

  • Page 207: Vpn And Remote Management

    ZyWALL 5 Internet Security Appliance 13.18 VPN and Remote Management If a VPN tunnel uses Telnet, FTP, WWW, SNMP, DNS or ICMP, then you should configure remote management (REMOTE MGMT) to allow access for that service. VPN Screens 13-27...

  • Page 209: Certificates

    Certificates Certificates This part provides information and configuration instructions for public-key certificates.

  • Page 211: Chapter 14 Certificates

    ZyWALL 5 Internet Security Appliance Chapter 14 Certificates This chapter gives background information about public-key certificates and explains how to use them. 14.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.

  • Page 212: Self-Signed Certificates

    ZyWALL 5 Internet Security Appliance The ZyWALL only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

  • Page 213: Figure 14-2 My Certificates

    ZyWALL 5 Internet Security Appliance Figure 14-2 My Certificates The following table describes the labels in this screen. Table 14-1 My Certificates LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in in Use use.
  • Page 214 ZyWALL 5 Internet Security Appliance Table 14-1 My Certificates LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.

  • Page 215: Certificate File Formats

    ZyWALL 5 Internet Security Appliance 14.5 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.

  • Page 216: Creating A Certificate

    ZyWALL 5 Internet Security Appliance Figure 14-3 My Certificate Import The following table describes the labels in this screen. Table 14-2 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.

  • Page 217: Figure 14-4 My Certificate Create

    ZyWALL 5 Internet Security Appliance Figure 14-4 My Certificate Create The following table describes the labels in this screen. Table 14-3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate.
  • Page 218 ZyWALL 5 Internet Security Appliance Table 14-3 My Certificate Create LABEL DESCRIPTION Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.

  • Page 219: My Certificate Details

    ZyWALL 5 Internet Security Appliance Table 14-3 My Certificate Create LABEL DESCRIPTION Request Authentication When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol.

  • Page 220: Figure 14-5 My Certificate Details

    ZyWALL 5 Internet Security Appliance Figure 14-5 My Certificate Details The following table describes the labels in this screen. Table 14-4 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate.
  • Page 221 ZyWALL 5 Internet Security Appliance Table 14-4 My Certificate Details LABEL DESCRIPTION Property Select this check box to have the ZyWALL use this certificate to sign the trusted Default self-signed remote host certificates that you import to the ZyWALL. This check box is only certificate which signs available with self-signed certificates.

  • Page 222: Trusted Cas

    ZyWALL 5 Internet Security Appliance Table 14-4 My Certificate Details LABEL DESCRIPTION Basic Constraint This field displays general information about the certificate. For example, “Subject Type=CA” means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.

  • Page 223: Figure 14-6 Trusted Cas

    ZyWALL 5 Internet Security Appliance Figure 14-6 Trusted CAs The following table describes the labels in this screen. Table 14-5 Trusted CAs LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in in Use use.

  • Page 224: Importing A Trusted Ca's Certificate

    ZyWALL 5 Internet Security Appliance Table 14-5 Trusted CAs LABEL DESCRIPTION CRL Issuer This field displays “Yes” if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority.

  • Page 225: Trusted Ca Certificate Details

    ZyWALL 5 Internet Security Appliance Table 14-6 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.

  • Page 226: Figure 14-8 Trusted Ca Details

    ZyWALL 5 Internet Security Appliance Figure 14-8 Trusted CA Details The following table describes the labels in this screen. Table 14-7 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
  • Page 227 ZyWALL 5 Internet Security Appliance Table 14-7 Trusted CA Details LABEL DESCRIPTION Property Select this check box to have the ZyWALL check incoming certificates that are issued Check incoming by this certification authority against a Certificate Revocation List (CRL). certificates issued by...

  • Page 228: Trusted Remote Hosts

    ZyWALL 5 Internet Security Appliance Table 14-7 Trusted CA Details LABEL DESCRIPTION Basic Constraint This field displays general information about the certificate. For example, “Subject Type=CA” means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.

  • Page 229: Figure 14-9 Trusted Remote Hosts

    ZyWALL 5 Internet Security Appliance Figure 14-9 Trusted Remote Hosts The following table describes the labels in this screen. Table 14-8 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in in Use use.

  • Page 230: Verifying A Trusted Remote Host's Certificate

    ZyWALL 5 Internet Security Appliance Table 14-8 Trusted Remote Hosts LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.

  • Page 231: Importing A Trusted Remote Host's Certificate

    ZyWALL 5 Internet Security Appliance 14.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the ZyWALL, see the following figure.

  • Page 232: Figure 14-13 Trusted Remote Host Details

    ZyWALL 5 Internet Security Appliance Figure 14-13 Trusted Remote Host Details The following table describes the labels in this screen. Table 14-10 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
  • Page 233 ZyWALL 5 Internet Security Appliance Table 14-10 Trusted Remote Host Details LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate’s issuing certification authority.

  • Page 234: Directory Servers

    ZyWALL 5 Internet Security Appliance Table 14-10 Trusted Remote Host Details LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You cannot use this value to verify that this is the remote host’s actual certificate because the ZyWALL has signed the certificate;...

  • Page 235: Add Or Edit A Directory Server

    ZyWALL 5 Internet Security Appliance Table 14-11 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in in Use use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.

  • Page 236: Table 14-12 Directory Server Add

    ZyWALL 5 Internet Security Appliance Table 14-12 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.

  • Page 237: Nat And Static Route

    NAT and Static Route NAT and Static Route This part covers Network Address Translation and setting up static routes.

  • Page 239: Chapter 15 Network Address Translation (Nat)

    ZyWALL 5 Internet Security Appliance Chapter 15 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. This chapter is only applicable when the ZyWALL is in router mode. 15.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.

  • Page 240: Figure 15-1 How Nat Works

    ZyWALL 5 Internet Security Appliance network and make them accessible to the outside world. Although you can make designated servers on the LAN accessible to the outside world, it is strongly recommended that you attach those servers to the DMZ port instead. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection.

  • Page 241: Figure 15-2 Nat Application With Ip Alias

    ZyWALL 5 Internet Security Appliance Figure 15-2 NAT Application With IP Alias 15.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address.

  • Page 242: Using Nat

    ZyWALL 5 Internet Security Appliance Table 15-2 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION One-to-One ILA1 IGA1 Many-to-One (SUA/PAT) ILA1 IGA1 ILA2 IGA1 … Many-to-Many Overload ILA1 IGA1 M-M Ov ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 … Many-One-to-One ILA1...

  • Page 243: Figure 18-22 Snmp

    ZyWALL 5 Internet Security Appliance You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.

  • Page 244: Configuring Sua Server

    ZyWALL 5 Internet Security Appliance the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. IP address assigned by ISP. Figure 15-3 Multiple Servers Behind NAT Example 15.4 Configuring SUA Server...

  • Page 245: Figure 15-4 Sua Server

    ZyWALL 5 Internet Security Appliance Figure 15-4 SUA Server The following table describes the labels in this screen. Table 15-4 SUA Server LABEL Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.

  • Page 246: Configuring Address Mapping

    ZyWALL 5 Internet Security Appliance 15.5 Configuring Address Mapping Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.

  • Page 247: Figure 15-6 Address Mapping Edit

    ZyWALL 5 Internet Security Appliance Table 15-5 Address Mapping LABEL DESCRIPTION This is the rule index number. Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address.

  • Page 248: Configuring Trigger Port

    ZyWALL 5 Internet Security Appliance Table 15-6 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type.

  • Page 249: Figure 15-7 Trigger Port Forwarding Process: Example

    ZyWALL 5 Internet Security Appliance Figure 15-7 Trigger Port Forwarding Process: Example Jane requests a file from the Real Audio server (port 7070). Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming"...

  • Page 250: Table 15-7 Trigger Port

    ZyWALL 5 Internet Security Appliance Table 15-7 Trigger Port LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.

  • Page 251: Chapter 16 Static Route

    ZyWALL 5 Internet Security Appliance Chapter 16 Static Route This chapter shows you how to configure static routes for your ZyWALL. This chapter is only applicable when the ZyWALL is in router mode. 16.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.

  • Page 252: Figure 16-2 Ip Static Route

    ZyWALL 5 Internet Security Appliance Figure 16-2 IP Static Route The following table describes the labels in this screen. Table 16-1 IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.

  • Page 253: Figure 16-3 Edit Ip Static Route

    ZyWALL 5 Internet Security Appliance 16.2.1 Configuring a Static Route Entry Select a static route index number and click Edit. The screen shown next appears. Fill in the required information for each static route. Figure 16-3 Edit IP Static Route The following table describes the labels in this screen.

  • Page 255: Bandwidth Management, Remote Management And Upnp

    Bandwidth Management, Remote Management and UPnP Bandwidth Management, Remote Management and UPnP This part provides information and configuration instructions for bandwidth management, remote management and Universal Plug and Play. VIII...

  • Page 257: Chapter 17 Bandwidth Management

    ZyWALL 5 Internet Security Appliance Chapter 17 Bandwidth Management This chapter describes the functions and configuration of bandwidth management. 17.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.

  • Page 258: Bandwidth Management Usage Examples

    ZyWALL 5 Internet Security Appliance 17.4 Bandwidth Management Usage Examples These examples show bandwidth management allotments on a WAN interface that is configured for 10Mbps. 17.4.1 Application-based Bandwidth Management Example The bandwidth classes in the following example are based solely on application. Each bandwidth class (VoIP, Web, FTP, E-mail and Video) is allotted 128 Kbps.

  • Page 259: Scheduler

    ZyWALL 5 Internet Security Appliance Figure 17-3 Application and Subnet-based Bandwidth Management Example 17.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based. 17.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes.

  • Page 260: Figure 17-4 Bandwidth Allotment Example

    ZyWALL 5 Internet Security Appliance 17.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that is not defined in a bandwidth filter. Leave some of the interface’s bandwidth unbudgeted.

  • Page 261: Bandwidth Borrowing

    ZyWALL 5 Internet Security Appliance R&D requires more bandwidth but only gets its budgeted 2 Mbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. The ZyWALL does not send any traffic that is not defined in the bandwidth filters because all of the unbudgeted bandwidth goes to the classes that need it.

  • Page 262: Configuring Summary

    ZyWALL 5 Internet Security Appliance Figure 17-6 Bandwidth Borrowing Example The Administration class cannot borrow unused bandwidth from the Root class because the Administration class has bandwidth borrowing disabled. The Marketing class can borrow unused bandwidth from the Root class because the Marketing class has bandwidth borrowing enabled.

  • Page 263: Configuring Class Setup

    ZyWALL 5 Internet Security Appliance Figure 17-7 Bandwidth Manager: Summary The following table describes the labels in this screen. Table 17-2 Bandwidth Manager: Summary LABEL DESCRIPTION These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.

  • Page 264: Figure 17-8 Bandwidth Manager: Class Setup

    ZyWALL 5 Internet Security Appliance of the root class is equal to the speed you configured on the interface (see section 17.8 to configure the speed of the interface). Configure sub-class layers for the root class. To add or delete child classes on an interface, click BW MGMT, then the Class Setup tab. The screen appears as shown (with example classes).

  • Page 265: Figure 17-9 Bandwidth Manager: Edit Class

    ZyWALL 5 Internet Security Appliance Figure 17-9 Bandwidth Manager: Edit Class The following table describes the labels in this screen. Table 17-4 Bandwidth Manager: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.

  • Page 266: Table 17-5Services And Port Numbers

    ZyWALL 5 Internet Security Appliance Table 17-4 Bandwidth Manager: Edit Class LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it Filter performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).

  • Page 267: Configuring Monitor

    ZyWALL 5 Internet Security Appliance Figure 17-10 Bandwidth Management Statistics The following table describes the labels in this screen. Table 17-6 Bandwidth Management Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing.

  • Page 268: Figure 17-11 Bandwidth Manager Monitor

    ZyWALL 5 Internet Security Appliance Figure 17-11 Bandwidth Manager Monitor The following table describes the labels in this screen. Table 17-7 Bandwidth Manager Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.

  • Page 269: Chapter 18 Remote Management

    ZyWALL 5 Internet Security Appliance Chapter 18 Remote Management This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

  • Page 270: Introduction To Https

    ZyWALL 5 Internet Security Appliance 4. There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 5. There is a firewall rule that blocks it.

  • Page 271: Configuring Www

    ZyWALL 5 Internet Security Appliance Figure 18-1 HTTPS Implementation If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 Configuring WWW To change your ZyWALL’s web settings, click REMOTE MGMT to open the WWW screen.

  • Page 272: Https Example

    ZyWALL 5 Internet Security Appliance The following table describes the labels in this screen. Table 18-1 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).

  • Page 273: Figure 18-3 Security Alert Dialog Box (Internet Explorer)

    ZyWALL 5 Internet Security Appliance 18.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL.

  • Page 274: Figure 18-4 Security Certificate 1 (Netscape)

    ZyWALL 5 Internet Security Appliance Figure 18-4 Security Certificate 1 (Netscape) Figure 18-5 Security Certificate 2 (Netscape) 18.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings.

  • Page 275: Figure 18-6 Login Screen (Internet Explorer)

    ZyWALL 5 Internet Security Appliance The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.

  • Page 276: Figure 18-7 Login Screen (Netscape)

    ZyWALL 5 Internet Security Appliance Figure 18-7 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Figure 18-8 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.

  • Page 277: Figure 18-9 Device-Specific Certificate

    ZyWALL 5 Internet Security Appliance Figure 18-9 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 18-10 Common ZyWALL Certificate Remote Management...

  • Page 278: Ssh Overview

    ZyWALL 5 Internet Security Appliance 18.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.

  • Page 279: Configuring Ssh

    ZyWALL 5 Internet Security Appliance 18.8 Configuring SSH To change your ZyWALL’s Secure Shell settings, click REMOTE MGMT, then the SSH tab. The screen appears as shown. Figure 18-13 SSH The following table describes the labels in this screen. Table 18-2 SSH...

  • Page 280: Figure 18-14 Ssh Example 1: Store Host Key

    ZyWALL 5 Internet Security Appliance 18.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program. Launch the SSH client and specify the connection information (IP address, port number or device name) for the ZyWALL.

  • Page 281: Secure Ftp Using Ssh Example

    ZyWALL 5 Internet Security Appliance $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.

  • Page 282: Configuring Telnet

    ZyWALL 5 Internet Security Appliance Figure 18-18 Telnet Configuration on a TCP/IP Network 18.12 Configuring TELNET Click REMOTE MGMT, then the TELNET tab. The screen appears as shown. Figure 18-19 Telnet The following table describes the labels in this screen.

  • Page 283: Configuring Ftp

    ZyWALL 5 Internet Security Appliance 18.13 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.

  • Page 284: Figure 18-21 Snmp Management Model

    ZyWALL 5 Internet Security Appliance SNMP is only available if TCP/IP is configured. Figure 18-21 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 285: Table 18-5 Snmp Traps

    ZyWALL 5 Internet Security Appliance 18.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 18-5 SNMP Traps TRAP # TRAP NAME DESCRIPTION coldStart (defined in RFC-1215) A trap is sent after booting (power on).

  • Page 286: Configuring Dns

    ZyWALL 5 Internet Security Appliance Table 18-6 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.

  • Page 287: Table 18-7 Dns

    ZyWALL 5 Internet Security Appliance The following table describes the labels in this screen. Table 18-7 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL.

  • Page 289: Chapter 19 Upnp

    ZyWALL 5 Internet Security Appliance Chapter 19 UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 19.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.

  • Page 290: Configuring Upnp

    ZyWALL 5 Internet Security Appliance Please see later in this User’s Guide for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows. 19.3 Configuring UPnP Click UPnP to display the screen shown next.

  • Page 291: Figure 19-2 Upnp Ports

    ZyWALL 5 Internet Security Appliance Figure 19-2 UPnP Ports The following table describes the labels in this screen. Table 19-2 UPnP Ports LABEL DESCRIPTION Reserve UPnP Select this checkbox to have the ZyWALL retain UPnP created NAT rules even after NAT rules in flash restarting.

  • Page 292: Installing Upnp In Windows Example

    ZyWALL 5 Internet Security Appliance Table 19-2 UPnP Ports LABEL DESCRIPTION Refresh Click Refresh update the screen’s table. 19.5 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. 19.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me.

  • Page 293: Using Upnp In Windows Xp Example

    ZyWALL 5 Internet Security Appliance The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. In the Networking Services window, select the Universal Plug and Play check box. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
  • Page 294 ZyWALL 5 Internet Security Appliance In the Internet Connection Properties window, You may edit or delete the port click Settings to see the port mappings that were mappings or click Add to manually automatically created. add port mappings. When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.

  • Page 295: Web Configurator Easy Access

    ZyWALL 5 Internet Security Appliance 19.6.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.

  • Page 297: Logs

    Logs Logs This part provides information and instructions for the logs and reports.

  • Page 299: Chapter 20 Logs Screens

    ZyWALL 5 Internet Security Appliance Chapter 20 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendix for example log message explanations. 20.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.

  • Page 300: Log Description Example

    ZyWALL 5 Internet Security Appliance Table 20-1 View Log LABEL DESCRIPTION Time This field displays the time the log was recorded. See the section on time setting to configure the ZyWALL’s time and date. Message This field states the reason for the log.

  • Page 301: Figure 20-2 Log Settings

    ZyWALL 5 Internet Security Appliance An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites or web sites with restricted web features such as cookies, active X and so on. Some categories such as System Errors consist of both logs and alerts.

  • Page 302: Configuring Reports

    ZyWALL 5 Internet Security Appliance Table 20-3 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.

  • Page 303: Figure 20-3 Reports

    ZyWALL 5 Internet Security Appliance Web sites visited the most often Number of times the most visited web sites were visited The most-used protocols or service ports The amount of traffic for the most used protocols or service ports The LAN IP addresses to and/or from which the most traffic has been sent...

  • Page 304: Figure 20-4 Web Site Hits Report Example

    ZyWALL 5 Internet Security Appliance Table 20-4 Reports LABEL DESCRIPTION Start Collection/ The button text shows Start Collection when the ZyWALL is not recording report data and Stop Collection Stop Collection when the ZyWALL is recording report data. Click Start Collection to have the ZyWALL record report data.

  • Page 305: Figure 20-5 Protocol/Port Report Example

    ZyWALL 5 Internet Security Appliance 20.4.2 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.

  • Page 306: Figure 20-6 Lan Ip Address Report Example

    ZyWALL 5 Internet Security Appliance Figure 20-6 LAN IP Address Report Example The following table describes the labels in this screen. Table 20-7 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.

  • Page 307: Maintenance

    Maintenance Maintenance This part covers the maintenance screens.

  • Page 309: Chapter 21 Maintenance

    ZyWALL 5 Internet Security Appliance Chapter 21 Maintenance This chapter displays information on the maintenance screens. 21.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 21.2 General Setup 21.2.1 General Setup and System Name...

  • Page 310: Figure 21-1 General Setup (Router Mode)

    ZyWALL 5 Internet Security Appliance Figure 21-1 General Setup (Router Mode) The following table describes the labels in this screen. Table 21-1 General Setup (Router Mode) LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...

  • Page 311: Figure 21-2 General Setup (Bridge Mode)

    ZyWALL 5 Internet Security Appliance Table 21-1 General Setup (Router Mode) LABEL DESCRIPTION First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The field to the right displays the (read-only) DNS server IP Second DNS address that the ISP assigns.

  • Page 312: Configuring Password

    ZyWALL 5 Internet Security Appliance Table 21-2 General Setup (Bridge Mode) LABEL DESCRIPTION First DNS Server If you have the IP address(es) of the DNS server(s), enter the DNS server's IP address(es) in the field(s) to the right. Second DNS...

  • Page 313: Configuring Time And Date

    ZyWALL 5 Internet Security Appliance The ZyWALL can use this pre-defined list of time servers regardless of the Time Protocol you select. When the ZyWALL uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.

  • Page 314: Figure 21-4 Time And Date

    ZyWALL 5 Internet Security Appliance Figure 21-4 Time and Date The following table describes the labels in this screen. Table 21-5 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyWALL.

  • Page 315: Time Server Synchronization

    ZyWALL 5 Internet Security Appliance Table 21-5 Time and Date LABEL DESCRIPTION New Date This field displays the last updated date from the time server or the last date configured (yyyy-mm-dd) manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.

  • Page 316: Configuring Device Mode

    ZyWALL 5 Internet Security Appliance Figure 21-5 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 21-6 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.

  • Page 317: Figure 21-8 Device Mode (Router Mode)

    ZyWALL 5 Internet Security Appliance Figure 21-8 Device Mode (Router Mode) The following table describes the labels in this screen. Table 21-6 Device Mode (Router Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.

  • Page 318: F/W Upload Screen

    ZyWALL 5 Internet Security Appliance Figure 21-9 Device Mode (Bridge Mode) The following table describes the labels in this screen. Table 21-7 Device Mode (Bridge Mode) LABEL Description Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.

  • Page 319: Figure 21-10 Firmware Upload

    ZyWALL 5 Internet Security Appliance Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions in this screen to upload firmware to your ZyWALL. Figure 21-10 Firmware Upload The following table describes the labels in this screen. Figure 21-11 Firmware Upload...

  • Page 320: Figure 21-12 Firmware Upload In Process

    ZyWALL 5 Internet Security Appliance Figure 21-12 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 21-13 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen.

  • Page 321: Configuration Screen

    ZyWALL 5 Internet Security Appliance 21.8 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.

  • Page 322: Figure 21-16 Configuration Upload Successful

    ZyWALL 5 Internet Security Appliance Table 21-8 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the file you want to upload. Remember that you must decompress Browse...

  • Page 323: Restart Screen

    ZyWALL 5 Internet Security Appliance Figure 21-18 Configuration Upload Error 21.8.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear.

  • Page 324: Figure 21-20 Restart Screen

    ZyWALL 5 Internet Security Appliance Figure 21-20 Restart Screen 21-16 Maintenance...

  • Page 325: Smt General Configuration

    SMT General Configuration SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN and dial backup setup, LAN and wireless LAN setup, Internet access and DMZ setup. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 327: Chapter 22 Introducing The Smt

    After the tests, the ZyWALL asks you to press to continue, as shown next. [ENTER] Copyright (c) 1994 - 2004 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:7A:86:D5 initialize ch =1, ethernet address: 00:A0:C5:7A:86:D6 initialize ch =2, ethernet address: 00:A0:C5:7A:86:D7 initialize ch =3, ethernet address: 00:00:00:00:00:00 AUX port init .

  • Page 328: Navigating The Smt Interface

    ZyWALL 5 Internet Security Appliance Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL will automatically log you out and display a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again.

  • Page 329: Figure 22-3 Main Menu (Router Mode)

    ZyWALL 5 Internet Security Appliance Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ZyWALL 5 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Password 4.
  • Page 330 ZyWALL 5 Internet Security Appliance Table 22-2 Main Menu Summary Menu Title FUNCTION Remote Node Setup Use this menu to configure detailed remote node settings (your ISP is also a remote node) as well as apply WAN filters. Static Routing Setup Configure IP static routes in this menu.

  • Page 331: Figure 4-1 Lan

    System Maintenance -- UNIX Syslog Upload System Diagnostic Upload Firmware Upload System Firmware Configuration File Menu 24.5 Menu 24.6 System Maintenance -- System Maintenance -- Backup Configuration Restore Configuration Figure 22-5 ZyWALL 5 SMT Menu Overview Example Introducing the SMT 22-5...

  • Page 332: Changing The System Password

    ZyWALL 5 Internet Security Appliance 22.4 Changing the System Password Change the system password by following the steps shown next. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Menu 23 - System Password...

  • Page 333: Chapter 23 Smt Menu 1 - General Setup

    ZyWALL 5 Internet Security Appliance Chapter 23 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 23.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 23.2 Configuring General Setup Enter 1 in the main menu to open Menu 1: General Setup.

  • Page 334: Figure 23-2 Menu 1: General Setup (Bridge Mode)

    ZyWALL 5 Internet Security Appliance Table 23-1 Menu 1: General Setup (Router Mode) FIELD DESCRIPTION EXAMPLE First System DNS DNS (Domain Name System) is for mapping a domain name to its From ISP Server corresponding IP address and vice versa. The DNS server is extremely...

  • Page 335: Figure 23-3 Menu 1.1 Configure Dynamic Dns

    ZyWALL 5 Internet Security Appliance Table 23-2 Menu 1: General Setup (Bridge Mode) FIELD DESCRIPTION EXAMPLE Device Mode Press [SPACE BAR] and then [ENTER] to select Bridge Mode. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
  • Page 336 ZyWALL 5 Internet Security Appliance Table 23-3 Menu 1.1 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDNS if you DynamicDNS have a dynamic IP address(es). Select StaticDNS if you have a static (default) IP address(s).

  • Page 337: Chapter 24 Wan And Dial Backup Setup

    ZyWALL 5 Internet Security Appliance Chapter 24 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 24.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.

  • Page 338: Dial Backup

    ZyWALL 5 Internet Security Appliance 24.3 Dial Backup The Dial Backup port can be used in reserve, as a traditional dial-up connection should the broadband connection to the WAN port fail. To set up the auxiliary port (Dial Backup) for use in the event that...

  • Page 339: Advanced Wan Setup

    ZyWALL 5 Internet Security Appliance Table 24-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Init Enter the AT command string to initialize the WAN device. Consult the at&fs0=0 manual of your WAN device connected to your Dial Backup port for specific AT commands.

  • Page 340: Remote Node Profile (Backup Isp)

    ZyWALL 5 Internet Security Appliance Table 24-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT Drop DTR When Hang Press the [SPACE BAR] to choose either Yes or No. When Yes is selected (the default), the DTR (Data Terminal Ready) signal is dropped after the “AT Command String: Drop”...

  • Page 341: Figure 24-4 Menu 11.1 Remote Node Profile (Backup Isp)

    ZyWALL 5 Internet Security Appliance Menu 11.1 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Rem IP Addr= 0.0.0.0 Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My Password= ********...

  • Page 342: Editing Ppp Options

    ZyWALL 5 Internet Security Appliance Table 24-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3 - Remote Node Network Layer (default) Options.

  • Page 343: Editing Tcp/Ip Options

    ZyWALL 5 Internet Security Appliance This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields. Figure 24-6 Menu 11.2: Remote Node PPP Options FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then [ENTER] to select CISCO PPP if your Dial...

  • Page 344: Editing Login Script

    ZyWALL 5 Internet Security Appliance Table 24-6 Menu 11.3: Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE Network Network Address Translation (NAT) allows the translation of an Internet None Address protocol address used within one network (for example a private IP address...

  • Page 345: Figure 24-8 Menu 11.4: Remote Node Script

    ZyWALL 5 Internet Security Appliance To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know exactly whether it is upper or lower case.

  • Page 346: Remote Node Filter

    ZyWALL 5 Internet Security Appliance Table 24-7 Menu 11.4: Remote Node Script FIELD DESCRIPTION EXAMPLE Set 1-6: Enter an Expect string to match. After matching the Expect string, the Expect ZyWALL returns the string in the Send field. Set 1-6: Enter a string to send out after the Expect string is matched.

  • Page 347: Chapter 25 Lan Setup

    ZyWALL 5 Internet Security Appliance Chapter 25 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. 25.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.

  • Page 348: Figure 25-3 Menu 3: Tcp/Ip And Dhcp Setup

    ZyWALL 5 Internet Security Appliance Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup 5. Wireless LAN Setup Enter Menu Selection Number: Figure 25-3 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2- TCP/IP and DHCP Ethernet Setup...

  • Page 349: Table 25-2 Menu 3.2: Lan Tcp/Ip Setup Fields

    ZyWALL 5 Internet Security Appliance Table 25-1 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION EXAMPLE First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in From ISP the order you specify here) to the DHCP clients.

  • Page 350: Figure 25-5 Menu 3.2.1: Ip Alias Setup

    ZyWALL 5 Internet Security Appliance Table 25-2 Menu 3.2: LAN TCP/IP Setup Fields FIELD DESCRIPTION EXAMPLE Edit IP Alias The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network.

  • Page 351: Wireless Lan Setup

    ZyWALL 5 Internet Security Appliance Table 25-3 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION EXAMPLE Version Press [SPACE BAR] and then [ENTER] to select the RIP version. RIP-1 Options are RIP-1, RIP-2B or RIP-2M. Incoming Protocol Enter the filter set(s) you wish to apply to the incoming traffic between Filters this node and the ZyWALL.

  • Page 352: Table 25-4 Menu 3.5: Wireless Lan Setup

    ZyWALL 5 Internet Security Appliance Table 25-4 Menu 3.5: Wireless LAN Setup FIELD DESCRIPTION EXAMPLE Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN. The Wireless LAN wireless LAN is off by default. Configure wireless LAN security features (default) such as Mac filters and 802.1X before you turn on the wireless LAN.

  • Page 353: Figure 25-7 Menu 3.5.1: Wlan Mac Address Filter

    ZyWALL 5 Internet Security Appliance The ZyWALL LAN Ethernet and wireless ports can transparently communicate with each other (transparent bridge). 25.5.1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses.
  • Page 354 ZyWALL 5 Internet Security Appliance Table 25-5 Menu 3.5.1: WLAN MAC Address Filter FIELD DESCRIPTION When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.

  • Page 355: Chapter 26 Internet Access

    ZyWALL 5 Internet Security Appliance Chapter 26 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 26.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.

  • Page 356: Configuring The Pptp Client

    ZyWALL 5 Internet Security Appliance Table 26-1 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION My Password Type your password again for confirmation. Retype to Confirm Enter your password again to make sure that you have entered is correctly. Login Server The ZyWALL will find the RoadRunner Server IP if this field is left blank.

  • Page 357: Configuring The Pppoe Client

    ZyWALL 5 Internet Security Appliance Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...

  • Page 358: Basic Setup Complete

    ZyWALL 5 Internet Security Appliance Table 26-3 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The PPPoE encapsulation method influences your choices in the IP Address field.

  • Page 359: Chapter 27 Dmz Setup

    ZyWALL 5 Internet Security Appliance Chapter 27 DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5: DMZ Setup. 27.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup.

  • Page 360: Figure 27-3 Menu 5: Tcp/Ip Setup

    ZyWALL 5 Internet Security Appliance Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP Setup Enter Menu Selection Number: Figure 27-3 Menu 5: TCP/IP Setup From menu 5, select the submenu option 2. TCP/IP Setup and press [ENTER]. The screen now displays Menu 5.2: TCP/IP Setup...

  • Page 361: Figure 27-5 Menu 5.2.1: Ip Alias Setup

    ZyWALL 5 Internet Security Appliance Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A...

  • Page 363: Smt Advanced Applications

    SMT Advanced Applications SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters and SNMP. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 365: Chapter 28 Remote Node Setup

    ZyWALL 5 Internet Security Appliance Chapter 28 Remote Node Setup This chapter shows you how to configure a remote node. 28.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.

  • Page 366: Figure 28-2 Menu 11.1: Remote Node Profile For Ethernet Encapsulation

    ZyWALL 5 Internet Security Appliance Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A...

  • Page 367: Figure 28-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation

    ZyWALL 5 Internet Security Appliance Table 28-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE Route This field refers to the protocol that will be routed by your ZyWALL – IP is the only option for the ZyWALL.

  • Page 368: Table 28-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)

    ZyWALL 5 Internet Security Appliance Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The ZyWALL does two things when you specify a nailed-up connection. The first is that idle timeout is disabled.

  • Page 369: Edit Ip

    ZyWALL 5 Internet Security Appliance Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...

  • Page 370: Figure 28-5 Menu 11.3: Remote Node Network Layer Options For Ethernet Encapsulation

    ZyWALL 5 Internet Security Appliance Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 1 Private= N/A RIP Direction= None...

  • Page 371: Remote Node Filter

    ZyWALL 5 Internet Security Appliance Table 28-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.

  • Page 372: Figure 28-7 Menu 11.5: Remote Node Filter (Pppoe Or Pptp Encapsulation)

    ZyWALL 5 Internet Security Appliance Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 28-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation)
  • Page 373 ZyWALL 5 Internet Security Appliance Table 28-5 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Check WAN IP Enter the IP address of a reliable nearby computer (for example, your ISP’s 0.0.0.0 Address DNS server address) to test your ZyWALL’s WAN accessibility.

  • Page 375: Chapter 29 Ip Static Route Setup

    ZyWALL 5 Internet Security Appliance Chapter 29 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 29.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.

  • Page 376: Figure 29-2 Menu 12. 1: Edit Ip Static Route

    ZyWALL 5 Internet Security Appliance Menu 12.1 - Edit IP Static Route Route #: 2 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 29-2 Menu 12.

  • Page 377: Chapter 30 Network Address Translation (Nat)

    ZyWALL 5 Internet Security Appliance Chapter 30 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 30.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.

  • Page 378: Nat Setup

    ZyWALL 5 Internet Security Appliance Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options. Menu 11.3 - Remote Node Network Layer Options...

  • Page 379: Figure 30-3 Menu 15: Nat Setup

    ZyWALL 5 Internet Security Appliance Menu 15 - NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: Figure 30-3 Menu 15: NAT Setup Configure DMZ and LAN IP addresses in NAT menus 15.1 and 15.2.

  • Page 380: Figure 30-6 Menu 15.1.1: First Set

    ZyWALL 5 Internet Security Appliance Menu 15.1.255 is read-only. Table 30-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.

  • Page 381: Table 30-3 Fields In Menu 15.1.1

    ZyWALL 5 Internet Security Appliance The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify.

  • Page 382: Configuring A Server Behind Nat

    ZyWALL 5 Internet Security Appliance Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Figure 30-7 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set The following table describes the fields in this menu.

  • Page 383: General Nat Examples

    ZyWALL 5 Internet Security Appliance Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Menu 15.2 - NAT Server Setup Rule Start Port No.

  • Page 384: Figure 30-10 Nat Example 1

    ZyWALL 5 Internet Security Appliance Figure 30-10 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)=...

  • Page 385: Figure 30-13 Menu 15.2: Specifying An Inside Server

    ZyWALL 5 Internet Security Appliance Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 30-13 Menu 15.2: Specifying an Inside Server...

  • Page 386: Figure 30-14 Nat Example 3

    ZyWALL 5 Internet Security Appliance Figure 30-14 NAT Example 3 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 30-15.

  • Page 387: Figure 30-16 Example 3: Menu 15.1.1.1

    ZyWALL 5 Internet Security Appliance Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: Figure 30-16 Example 3: Menu 15.1.1.1 Menu 15.1.1 - Address Mapping Rules...

  • Page 388: Figure 30-18 Example 3: Menu 15.2

    ZyWALL 5 Internet Security Appliance Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 30-18 Example 3: Menu 15.2...

  • Page 389: Trigger Port Forwarding

    ZyWALL 5 Internet Security Appliance Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 30-20 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown...

  • Page 390: Figure 30-22 Menu 15.3: Trigger Port Setup

    ZyWALL 5 Internet Security Appliance that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.
  • Page 391 ZyWALL 5 Internet Security Appliance Table 30-5 Menu 15.3: Trigger Port Setup FIELD DESCRIPTION EXAMPLE End Port Enter a port number or the ending port number in a range of port numbers. 7070 Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

  • Page 393: Chapter 31 Introducing The Zywall Firewall

    ZyWALL 5 Internet Security Appliance Chapter 31 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 31.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.

  • Page 395: Chapter 32 Filter Configuration

    ZyWALL 5 Internet Security Appliance Chapter 32 Filter Configuration This chapter shows you how to create and apply filters. 32.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.

  • Page 396: Configuring A Filter Set

    ZyWALL 5 Internet Security Appliance The following figure illustrates the logic flow when executing a filter rule. See also Figure 32-6 for the logic flow when executing an IP filter. Start Packet into filter Fetch First Filter Set Filter Set...

  • Page 397: Figure 32-3 Menu 21: Filter And Firewall Setup

    ZyWALL 5 Internet Security Appliance Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: Figure 32-3 Menu 21: Filter and Firewall Setup Enter 1 to bring up the following menu. Menu 21.1 - Filter Set Configuration...

  • Page 398: Table 32-2 Rule Abbreviations Used

    ZyWALL 5 Internet Security Appliance Table 32-1 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Action Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N“ means to check the next rule.

  • Page 399: Figure 32-5 Menu 21.1.1.1: Tcp/Ip Filter Rule

    ZyWALL 5 Internet Security Appliance To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1...
  • Page 400 ZyWALL 5 Internet Security Appliance Table 32-3 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION OPTIONS Port # Enter the source port of the packets that you wish to filter. The range of 0-65535 this field is 0 to 65535. This field is ignored if it is 0.

  • Page 401: Figure 32-6 Executing An Ip Filter

    ZyWALL 5 Internet Security Appliance Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...

  • Page 402: Figure 32-7 Menu 21.1.4.1: Generic Filter Rule

    ZyWALL 5 Internet Security Appliance To configure a generic rule, select Generic Filter Rule in the Filter Type field in menu 21.1.4.1 and press [ENTER] to open Generic Filter Rule, as shown below. Menu 21.1.4.1 - Generic Filter Rule Filter #: 4,1...

  • Page 403: Example Filter

    ZyWALL 5 Internet Security Appliance Table 32-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Action Not Select the action for a packet not matching the rule. Check Next Rule Matched Forward Drop Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm”...

  • Page 404: Figure 32-9 Example Filter: Menu 21.1.3.1

    ZyWALL 5 Internet Security Appliance Press [SPACE BAR] and then [ENTER] to choose this filter rule type. Menu 21.1.3.1 - TCP/IP Filter Rule The first filter rule type determines all subsequent filter types within a set. Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes Select Yes to make the rule active.

  • Page 405: Filter Types And Nat

    ZyWALL 5 Internet Security Appliance This brings you to menu 11.5. Apply a filter set (our example filter set 3) as shown in Figure 32-14. Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.5.

  • Page 406: Figure 32-12 Filtering Lan Traffic

    ZyWALL 5 Internet Security Appliance Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 32-12 Filtering LAN Traffic 32.6.2 Applying DMZ Filters DMZ traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.

  • Page 407: Chapter 33 Snmp Configuration

    ZyWALL 5 Internet Security Appliance Chapter 33 SNMP Configuration This chapter explains SNMP configuration menu 22. 33.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.

  • Page 408: Table 33-2 Snmp Traps

    ZyWALL 5 Internet Security Appliance Table 33-2 SNMP Traps TRAP # TRAP NAME DESCRIPTION coldStart (defined in RFC-1215) A trap is sent after booting (power on). warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). authenticationFailure (defined in...

  • Page 409: Smt System Maintenance

    SMT System Maintenance SMT System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 411: Chapter 34 System Information & Diagnosis

    ZyWALL 5 Internet Security Appliance Chapter 34 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 34.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.

  • Page 412: System Information And Console Port Speed

    ZyWALL 5 Internet Security Appliance Menu 24.1 - System Maintenance - Status 07:10:06 Fri. Apr. 02, 2004 Port Status TxPkts RxPkts Cols Tx B/s Rx B/s Up Time Down 0:00:00 100M/Full 1:26:00 WLAN Down 0:00:00 100M/Full 1:26:00 Port Ethernet Address...

  • Page 413: Figure 34-3 Menu 24.2: System Information And Console Port Speed

    ZyWALL 5 Internet Security Appliance Enter 2 to open Menu 24.2 - System Information and Console Port Speed. From this menu you have two choices as shown in the next figure: Menu 24.2 - System Information and Console Port Speed 1.

  • Page 414: Log And Trace

    ZyWALL 5 Internet Security Appliance 34.3.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown next.

  • Page 415: Figure 34-7 Examples Of Error And Information Messages

    ZyWALL 5 Internet Security Appliance 50 Fri Apr 2 05:43:59 2004 PP05 ERROR Wireless LAN init fail, code=15 51 Fri Apr 2 05:43:59 2004 PINI INFO Channel 0 ok 52 Fri Apr 2 05:44:01 2004 PP05 -WARN SNMP TRAP 3: interface 1: link up...
  • Page 416 ZyWALL 5 Internet Security Appliance CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN...
  • Page 417 ZyWALL 5 Internet Security Appliance PPP log PPP Log Message Format SdcmdSyslogSend( SYSLOG_PPPLOG, SYSLOG_NOTICE, String ); String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing / ppp:Proto Shutdown Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing...

  • Page 418: Diagnostic

    ZyWALL 5 Internet Security Appliance IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00 Fragment Offset...

  • Page 419: Figure 34-10 Menu 24.4: System Maintenance: Diagnostic

    ZyWALL 5 Internet Security Appliance Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. Internet Setup Test System 11. Reboot System Enter Menu Selection Number: Figure 34-10 Menu 24.4: System Maintenance: Diagnostic 34.5.1 WAN DHCP...
  • Page 420 ZyWALL 5 Internet Security Appliance Table 34-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Reboot System Enter 11 to reboot the ZyWALL. If you entered 1 in Ping Host, then enter the IP address of the computer you want Host IP Address to ping in this field.

  • Page 421: Chapter 35 Firmware And Configuration File Maintenance

    ZyWALL 5 Internet Security Appliance Chapter 35 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 35.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.

  • Page 422: Backup Configuration

    ZyWALL 5 Internet Security Appliance Table 35-1 Filename Conventions FILE TYPE INTERNAL EXTERNAL NAME DESCRIPTION NAME Configuration Rom-0 This is the configuration filename on the ZyWALL. *.rom File Uploading the rom-0 file replaces the entire ROM file system, including your ZyWALL configurations, system-related data (including the default password), the error log and the trace log.

  • Page 423: Figure 35-2 Ftp Session Example

    ZyWALL 5 Internet Security Appliance 35.3.2 Using the FTP Command from the Command Line Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your ZyWALL. Press [ENTER] when prompted for a username.

  • Page 424: File Maintenance Over Wan

    ZyWALL 5 Internet Security Appliance 35.3.5 File Maintenance Over WAN TFTP, FTP and Telnet over the WAN will not work when: 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN).

  • Page 425: Figure 35-3 System Maintenance: Backup Configuration

    ZyWALL 5 Internet Security Appliance Table 35-3 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer.

  • Page 426: Restore Configuration

    ZyWALL 5 Internet Security Appliance After a successful backup you will see the following screen. Press any key to return to the SMT menu. ** Backup Configuration completed. OK. ### Hit any key to continue.### Figure 35-6 Successful Backup Confirmation Screen 35.4 Restore Configuration...

  • Page 427: Figure 35-8 Restore Using Ftp Session Example

    ZyWALL 5 Internet Security Appliance Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter “bin” to set transfer mode to binary. Find the “rom” file (on your computer) that you want to restore to your ZyWALL.

  • Page 428: Uploading Firmware And Configuration Files

    ZyWALL 5 Internet Security Appliance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 35-11 Restore Configuration Example After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.

  • Page 429: Figure 35-13 Telnet Into Menu 24.7.1: Upload System Firmware

    ZyWALL 5 Internet Security Appliance Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.

  • Page 430: Figure 35-15 Ftp Session Example Of Firmware File Upload

    ZyWALL 5 Internet Security Appliance Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyWALL and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer (config.rom) to the ZyWALL and renames it “rom-0”.

  • Page 431: Figure 35-16 Menu 24.7.1 As Seen Using The Console Port

    ZyWALL 5 Internet Security Appliance 35.5.6 TFTP Upload Command Example The following is an example TFTP command: tftp [-i] host put firmware.bin ras Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL’s IP address, “put” transfers the file source on the computer (firmware.bin – name of the firmware on the computer) to the file destination on the remote host (ras - name of the firmware on the ZyWALL).

  • Page 432: Figure 35-17 Example Xmodem Upload

    ZyWALL 5 Internet Security Appliance Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 35-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart.

  • Page 433: Figure 35-19 Example Xmodem Upload

    ZyWALL 5 Internet Security Appliance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 35-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”.

  • Page 435: Chapter 36 System Maintenance Menus 8 To 10

    ZyWALL 5 Internet Security Appliance Chapter 36 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.

  • Page 436: Call Control Support

    A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Zy5> ?

  • Page 437: Figure 36-3 Call Control

    ZyWALL 5 Internet Security Appliance Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number: Figure 36-3 Call Control 36.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

  • Page 438: Time And Date Setting

    ZyWALL 5 Internet Security Appliance 36.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

  • Page 439: Figure 36-6 Menu 24: System Maintenance

    ZyWALL 5 Internet Security Appliance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup...

  • Page 440: Table 36-4 Menu 24.10 System Maintenance: Time And Date Setting

    ZyWALL 5 Internet Security Appliance Table 36-4 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

  • Page 441: Remote Management

    ZyWALL 5 Internet Security Appliance Chapter 37 Remote Management This chapter covers remote management found in SMT menu 24.11. 37.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

  • Page 442: Table 37-1 Menu 24.11 - Remote Management Control

    ZyWALL 5 Internet Security Appliance Table 37-1 Menu 24.11 – Remote Management Control FIELD DESCRIPTION EXAMPLE Telnet Server Each of these read-only labels denotes a service that you may use to FTP Server SSH remotely manage the ZyWALL. Server HTTPS Server...

  • Page 443: Smt Advanced Management

    SMT Advanced Management SMT Advanced Management This part provides information on how to configure call scheduling, and VPN/IPSec. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 445: Chapter 38 Call Scheduling

    ZyWALL 5 Internet Security Appliance Chapter 38 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 38.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.

  • Page 446: Figure 38-2 Schedule Set Setup

    ZyWALL 5 Internet Security Appliance Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 – 01 - 01 How Often= Once Once: Date(yyyy/mm/dd)= 2000 – 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A...

  • Page 447: Figure 38-3 Applying Schedule Set(S) To A Remote Node (Pppoe)

    ZyWALL 5 Internet Security Appliance Table 38-1 Schedule Set Setup FIELD DESCRIPTION OPTIONS Action Forced On means that the connection is maintained whether or not there is a Forced On demand call on the line and will persist for the time period specified in the Forced Duration field.

  • Page 448: Figure 38-4 Applying Schedule Set(S) To A Remote Node (Pptp)

    ZyWALL 5 Internet Security Appliance Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4...

  • Page 449: Chapter 39 Vpn/Ipsec Setup

    ZyWALL 5 Internet Security Appliance Chapter 39 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 39.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.

  • Page 450: Ipsec Summary Screen

    ZyWALL 5 Internet Security Appliance 39.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
  • Page 451 ZyWALL 5 Internet Security Appliance Table 39-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE IPSec This field displays the security protocols used for an SA. ESP provides ESP AES MD5 Algorithm confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets.

  • Page 452: Ipsec Setup

    ZyWALL 5 Internet Security Appliance Table 39-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next None Command Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.

  • Page 453: Table 39-2 Menu 27.1.1: Ipsec Setup

    ZyWALL 5 Internet Security Appliance Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN rule index number you selected in the previous menu. Name Enter a unique identification name for this VPN rule. The name may be up to 32 Taiwan characters long but only 10 characters will be displayed in Menu 27.1 - IPSec...
  • Page 454 ZyWALL 5 Internet Security Appliance Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Peer ID type Press [SPACE BAR] to choose IP, DNS, or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address.
  • Page 455 ZyWALL 5 Internet Security Appliance Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Local Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both.

  • Page 456: Ike Setup

    ZyWALL 5 Internet Security Appliance Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP address on 4.4.4.4 the network behind the remote IPSec router.

  • Page 457: Figure 39-5 Menu 27.1.1.1: Ike Setup

    ZyWALL 5 Internet Security Appliance Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Authentication Method= PreShare Key PSK= qwer1234 Certificate= N/A Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 300 Key Group= DH1 Phase 2 Active Protocol= ESP...
  • Page 458 ZyWALL 5 Internet Security Appliance Table 39-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption The ZyWALL and the remote IPSec router generate an encryption key from Algorithm the Diffie-Hellman key exchange. ZyWALL DES encryption algorithm uses a 56-bit key.

  • Page 459: Manual Setup

    ZyWALL 5 Internet Security Appliance 39.5 Manual Setup You only configure Menu 27.1.1.2 – Manual Setup when you select Manual in the Key Management field in Menu 27.1.1 – IPSec Setup. Manual key management is useful if you have problems with IKE key management.
  • Page 460 ZyWALL 5 Internet Security Appliance Table 39-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Key1 Enter a unique eight-character key. Any character may be used, including 89abcde spaces, but trailing spaces are truncated. Fill in the Key1 field when you choose DES and fill in fields Key1 to Key3 when you choose 3DES.

  • Page 461: Chapter 40 Sa Monitor

    ZyWALL 5 Internet Security Appliance Chapter 40 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 40.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
  • Page 462 ZyWALL 5 Internet Security Appliance Table 40-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.

  • Page 463: Troubleshooting And Hardware Appendices

    Troubleshooting and Hardware Appendices Troubleshooting and Hardware Appendices This part provides information about troubleshooting and hardware specifications.

  • Page 465: Appendix A Troubleshooting

    ZyWALL 5 Internet Security Appliance Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.

  • Page 466: Problems With The Wan Interface

    ZyWALL 5 Internet Security Appliance Problems with the DMZ Interface Chart A-3 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide or servers on the Compact Guide for DMZ connection instructions.

  • Page 467: Problems With The Password

    ZyWALL 5 Internet Security Appliance Problems with the Password Chart A-6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION Cannot access The password field is case sensitive. Make sure that you enter the correct password using the ZyWALL. the proper casing. Use the Reset button to restore the factory default configuration file. This will restore all of the factory defaults including the password.

  • Page 469: Appendix B Hardware Specifications

    ZyWALL 5 Internet Security Appliance Appendix B Hardware Specifications Chart B-1 General Specifications Power Specification 100-240 VAC, 50/60Hz Power Consumption 16 Watts maximum Power Current 1.9 Amps Fuse Rating 0.5 Amps, 250 VAC MTBF 100000 hrs (Mean Time Between Failures) Operation Temperature 0º...
  • Page 470 ZyWALL 5 Internet Security Appliance Chart B-2 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 7 = DCE –CTS Pin 7 = DTE-RTS Pin 8 = DCE –RTS...

  • Page 471: General Appendices

    General Appendices General Appendices This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, EAP authentication, PPPoE, PPTP and IP subnetting.

  • Page 473: Appendix C Setting Up Your Computer's Ip Address

    ZyWALL 5 Internet Security Appliance Appendix C Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
  • Page 474 ZyWALL 5 Internet Security Appliance Select TCP/IP from the list of network protocols and then click OK. If you need Client for Microsoft Networks: Click Add. Select Client and then click Add. Select Microsoft from the list of manufacturers. Select Client for Microsoft Networks from the list of network clients and then click OK.
  • Page 475 ZyWALL 5 Internet Security Appliance Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window.
  • Page 476 ZyWALL 5 Internet Security Appliance Windows 2000/NT/XP For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties.
  • Page 477 ZyWALL 5 Internet Security Appliance Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
  • Page 478 ZyWALL 5 Internet Security Appliance -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
  • Page 479 ZyWALL 5 Internet Security Appliance Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list.
  • Page 480 ZyWALL 5 Internet Security Appliance Check your TCP/IP properties in the TCP/IP Control Panel window. Macintosh OS X Click the Apple menu, and click System Preferences to open the System Preferences window. Click Network in the icon bar. - Select Automatic from the Location list.

  • Page 481: Appendix D Triangle Route

    ZyWALL 5 Internet Security Appliance Appendix D Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
  • Page 482 ZyWALL 5 Internet Security Appliance The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
  • Page 483 ZyWALL 5 Internet Security Appliance How To Configure Triangle Route: From the SMT main menu, enter 24. Enter “8” in menu 24 to enter CI command mode. Use the following commands to allow/disallow triangle route. sys firewall ignore triangle all off This command allows triangle route.
  • Page 485 ZyWALL 5 Internet Security Appliance Appendix E Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection.
  • Page 486 ZyWALL 5 Internet Security Appliance Diagram E-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

  • Page 487: Appendix F Wireless Lan With Ieee 802.1X

    ZyWALL 5 Internet Security Appliance Appendix F Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
  • Page 488 ZyWALL 5 Internet Security Appliance Client computer access authorized. Client computer access not authorized. Diagram F-1 Sequences for EAP MD5–Challenge Authentication Wireless LAN With IEEE 802.1x...

  • Page 489: Appendix G Types Of Eap Authentication

    ZyWALL 5 Internet Security Appliance Appendix G Types of EAP Authentication This appendix discusses the five popular EAP authentication types: EAP-MD5, EAP-TLS, EAP- TTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server. Consult your network administrator for more information.
  • Page 490 ZyWALL 5 Internet Security Appliance deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of five authentication types. Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication Certificate –...

  • Page 491: Appendix Hpppoe

    ZyWALL 5 Internet Security Appliance Appendix H PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
  • Page 492 ZyWALL 5 Internet Security Appliance ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.

  • Page 493: Appendix Ipptp

    ZyWALL 5 Internet Security Appliance Appendix I PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband...
  • Page 494 ZyWALL 5 Internet Security Appliance Diagram I-2 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the ZyWALL, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server.

  • Page 495: Appendix Jip Subnetting

    ZyWALL 5 Internet Security Appliance Appendix J IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
  • Page 496 ZyWALL 5 Internet Security Appliance Chart J-2 Allowed IP Address Range By Class CLASS ALLOWED RANGE OF FIRST OCTET ALLOWED RANGE OF FIRST OCTET (BINARY) (DECIMAL) Class A 00000000 to 01111111 0 to 127 10000000 to 10111111 Class B 128 to 191...
  • Page 497 ZyWALL 5 Internet Security Appliance Chart J-4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK “1” BITS LAST OCTET BIT VALUE 255.255.255.248 1111 1000 255.255.255.252 1111 1100 The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used.
  • Page 498 ZyWALL 5 Internet Security Appliance Chart J-6 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask 255.255.255. Subnet Mask (Binary) 11111111.11111111.11111111. 10000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254...
  • Page 499 ZyWALL 5 Internet Security Appliance Chart J-9 Subnet 3 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190...
  • Page 500 ZyWALL 5 Internet Security Appliance The following table is a summary for class “C” subnet planning. Chart J-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28)

  • Page 501: Commands, Logs, Certificates Appendices And Index

    Commands, Logs, Certificates Appendices and Index Commands, Logs, Certificates Appendices and Index This part provides information on the command interpreter interface, firewall, NetBIOS and certificate commands, logs, password protection, as well as importing certificates. There is also an index of key terms.

  • Page 503: Appendix K Command Interpreter

    ZyWALL 5 Internet Security Appliance Appendix K Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.

  • Page 505: Appendix L Firewall Commands

    ZyWALL 5 Internet Security Appliance Appendix L Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off.
  • Page 506 ZyWALL 5 Internet Security Appliance Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall e-mail This command sets the IP address to which the e- mail-server <ip address of mail messages are sent. mail server> config edit firewall e-mail This command sets the source e-mail address of return-addr <e-mail address>...
  • Page 507 ZyWALL 5 Internet Security Appliance Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack This command sets the threshold of half-open minute-low <0-255> sessions where the ZyWALL stops deleting half- opened sessions. config edit firewall attack This command sets the threshold of half-open max-incomplete-high <0-255>...
  • Page 508 ZyWALL 5 Internet Security Appliance Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set This command sets whether or not the ZyWALL #> log <yes | no> creates logs for packets that match the firewall’s default rule set.
  • Page 509 ZyWALL 5 Internet Security Appliance Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set This command sets a rule to have the ZyWALL #> rule <rule #> destaddr- check for traffic with a particular subnet destination subnet <ip address> <subnet (defined by IP address and subnet mask).

  • Page 511: Appendix M Netbios Filter Commands

    ZyWALL 5 Internet Security Appliance Appendix M NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
  • Page 512 ZyWALL 5 Internet Security Appliance Chart M-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Trigger dial This field displays whether NetBIOS packets are allowed to initiate calls. Disabled Disabled means that NetBIOS packets are blocked from initiating calls. NetBIOS Filter Configuration Syntax: sys filter netbios config <type>...

  • Page 513: Appendix N Certificates Commands

    ZyWALL 5 Internet Security Appliance Appendix N Certificates Commands The following describes the certificate commands. See the Command Interpreter appendix for information on the command structure. All of these commands start with certificates. Chart N-1 Certificates Commands COMMAND DESCRIPTION my_cert...
  • Page 514 ZyWALL 5 Internet Security Appliance Chart N-1 Certificates Commands COMMAND DESCRIPTION import [name] Import the PEM-encoded certificate from stdin. [name] specifies the descriptive name (optional) as which the imported certificate is to be saved. For my certificate importation to be successful, a certification request corresponding to the imported certificate must already exist on ZyWALL.
  • Page 515 ZyWALL 5 Internet Security Appliance Chart N-1 Certificates Commands COMMAND DESCRIPTION rename <old name> Rename the specified trusted CA certificate. <old name> <new name> specifies the name of the certificate to be renamed. <new name> specifies the new name as which the certificate is to be saved.
  • Page 516 ZyWALL 5 Internet Security Appliance Chart N-1 Certificates Commands COMMAND DESCRIPTION rename <old name> Rename the specified directory service. <old name> specifies the <new name> name of the directory server to be renamed. <new name> specifies the new name as which the directory server is to be saved.

  • Page 517: Appendix O Boot Commands

    ZyWALL 5 Internet Security Appliance Appendix O Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following ATUR screen.
  • Page 518 ZyWALL 5 Internet Security Appliance just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...

  • Page 519: Appendix P Log Descriptions

    ZyWALL 5 Internet Security Appliance Appendix P Log Descriptions Chart P-1 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time successful server. Time calibration failed The router failed to get information from the time server.
  • Page 520 ZyWALL 5 Internet Security Appliance Chart P-1 System Maintenance Logs LOG MESSAGE DESCRIPTION Successful SSH login Someone has logged on to the router’s SSH server. SSH login failed Someone has failed to log on to the router’s SSH server. Someone has logged on to the router's web configurator interface Successful HTTPS login using HTTPS protocol.
  • Page 521 ZyWALL 5 Internet Security Appliance Chart P-4 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when the number of TCP incomplete Exceed TCP MAX connections exceeded the user configured threshold. (the TCP incomplete incomplete, sent TCP count is per destination host.) Note: Refer to TCP Maximum Incomplete in...
  • Page 522 ZyWALL 5 Internet Security Appliance Chart P-6 ICMP Logs LOG MESSAGE DESCRIPTION Unsupported/out-of-order ICMP: The firewall does not support this kind of ICMP packets or the ICMP ICMP packets are out of order. Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.
  • Page 523 ZyWALL 5 Internet Security Appliance Chart P-10 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web The web site is not in a trusted domain, and the router blocks all traffic except list trusted domain sites.
  • Page 524 ZyWALL 5 Internet Security Appliance Chart P-11 Attack Logs LOG MESSAGE DESCRIPTION ip spoofing - WAN [ TCP | UDP | IGMP The firewall detected an IP spoofing attack on the WAN port. | ESP | GRE | OSPF ] ip spoofing - WAN ICMP (type:%d, The firewall detected an ICMP IP spoofing attack on the WAN port.
  • Page 525 ZyWALL 5 Internet Security Appliance Chart P-13 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed The IKE process for a new connection failed because the limit of exceeded simultaneous phase 2 SAs has been reached. Start Phase 2: Quick Mode Phase 2 Quick Mode has started.
  • Page 526 ZyWALL 5 Internet Security Appliance Chart P-13 IKE Logs LOG MESSAGE DESCRIPTION This router’s "Peer ID Type" is different from the peer IPSec router's Phase 1 ID type mismatch "Local ID Type". This router’s "Peer ID Content" is different from the peer IPSec router's Phase 1 ID content mismatch "Local ID Content".
  • Page 527 ZyWALL 5 Internet Security Appliance Chart P-13 IKE Logs LOG MESSAGE DESCRIPTION Rule [%d] Phase 2 The listed rule’s IKE phase 2 encapsulation did not match between the encapsulation mismatch router and the peer. Rule [%d]> Phase 2 pfs The listed rule’s IKE phase 2 perfect forward secret (pfs) setting did mismatch not match between the router and the peer.
  • Page 528 ZyWALL 5 Internet Security Appliance Chart P-14 PKI Logs LOG MESSAGE DESCRIPTION Failed to resolve <CMP The CMP online certificate enrollment failed because the certification CA server url> authority server’s IP address cannot be resolved. Rcvd ca cert: <subject The router received a certification authority certificate, with subject name as name>...
  • Page 529 ZyWALL 5 Internet Security Appliance Chart P-15 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Certificate was not found (anywhere). Certificate chain looped (did not find trusted root). Certificate contains critical extension that was not handled. Certificate issuer was not valid (CA specific information missing).
  • Page 530 ZyWALL 5 Internet Security Appliance Chart P-16 802.1X Logs LOG MESSAGE DESCRIPTION User logout because of no The router logged out a user from which there was no authentication authentication response from response. user. User logout because of idle The router logged out a user whose idle timeout period expired.
  • Page 531 ZyWALL 5 Internet Security Appliance Chart P-18 ICMP Notes TYPE CODE DESCRIPTION Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)
  • Page 532 ZyWALL 5 Internet Security Appliance Chart P-19 Syslog Logs LOG MESSAGE DESCRIPTION <Facility*8 + Severity>Mon This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a dd hr:mm:ss hostname syslog.
  • Page 533 ZyWALL 5 Internet Security Appliance Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ? Valid commands are: exit ether ipsec bridge certificates 8021x radius ras> Diagram P-1 Displaying Log Categories Example Use sys logs category followed by a log category to display the parameters that are available for the category.
  • Page 534 ZyWALL 5 Internet Security Appliance .time source destination notes message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 |ACCESS BLOCK Firewall default policy: IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.250 |ACCESS BLOCK Firewall default policy: IGMP (W to W/ZW) 2|06/08/2004 05:58:20 |172.21.0.2 |239.255.255.254...

  • Page 535: Appendix Q Brute-Force Password Guessing Protection

    ZyWALL 5 Internet Security Appliance Appendix Q Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure.

  • Page 537: Appendix R Importing Certificates

    ZyWALL 5 Internet Security Appliance Appendix R Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
  • Page 538 ZyWALL 5 Internet Security Appliance Diagram R-2 Login Screen Click Install Certificate to open the Install Certificate wizard. Diagram R-3 Certificate General Information before Import Importing Certificates...
  • Page 539 ZyWALL 5 Internet Security Appliance Click Next to begin the Install Certificate wizard. Diagram R-4 Certificate Import Wizard 1 Select where you would like to store the certificate and then click Next. Diagram R-5 Certificate Import Wizard 2 Click Finish to complete the Import Certificate wizard.
  • Page 540 ZyWALL 5 Internet Security Appliance Diagram R-6 Certificate Import Wizard 3 Click Yes to add the ZyWALL certificate to the root store. Diagram R-7 Root Certificate Store Importing Certificates...

  • Page 541: Enrolling And Importing Ssl Client Certificates

    ZyWALL 5 Internet Security Appliance Diagram R-8 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the part on certificates for details).
  • Page 542 ZyWALL 5 Internet Security Appliance Diagram R-9 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
  • Page 543 ZyWALL 5 Internet Security Appliance Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard.
  • Page 544 ZyWALL 5 Internet Security Appliance Diagram R-13 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Diagram R-14 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process.

  • Page 545: Using A Certificate When Accessing The Zywall Example

    ZyWALL 5 Internet Security Appliance Diagram R-15 Personal Certificate Import Wizard 5 You should see the following screen when the certificate is correctly installed on your computer. Diagram R-16 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
  • Page 546 ZyWALL 5 Internet Security Appliance Diagram R-18 SSL Client Authentication You next see the ZyWALL login screen. Diagram R-19 ZyWALL Secure Login Screen R-10 Importing Certificates...

  • Page 547: Appendix S Index

    ZyWALL 5 Internet Security Appliance Appendix S Index BSS .........See Basic Service Set Budget Management ........36-3 BW Budget..........17-9 10/100 Mbps Ethernet WAN ....... 1-2 CA ...............G-1 Access Point..........25-6 Cable Modem........9-2, A-2 Action for Matched Packets..... 10-10 Call Back Delay .........24-4 Active........
  • Page 548 ZyWALL 5 Internet Security Appliance Copyright ............ii Dynamic Secure Gateway Address ... 3-10 Custom Ports DYNDNS Wildcard ........7-18 Creating/Editing........10-11 Customer Support .......... vi e.g....... See Syntax Conventions EAP ............. 6-3 DDNS EAP Authentication......XVI, G-1 Configuration .........23-3 MD5 ............G-1 DDNS Type ..........23-4...
  • Page 549 ZyWALL 5 Internet Security Appliance Structure..........32-1 Filters Half-Open Sessions........10-19 Executing a Filter Rule ......32-2 Hidden Menus ..........22-2 IP Filter Logic Flow....... 32-6 Host ..........21-4, 23-4 Finger............15-5 Host IDs ............J-1 Firewall ............1-3 How SSH works........18-10 Access Methods ........
  • Page 550 ZyWALL 5 Internet Security Appliance IP Multicast..........1-4 Many to Many Overload ....See NAT Internet Group Management Protocol Many to One........See NAT (IGMP)..........1-4 Max Age............5-2 IP Pool..........4-4, 25-2 Maximize Bandwidth Usage .... 17-3, 17-7 IP Pool Setup..........4-1 Maximum Incomplete High ....
  • Page 551 ZyWALL 5 Internet Security Appliance Notice............. iii Incoming ..........25-5 Outgoing ..........25-5 Protocol/Port ........20-5, 20-7 Public Servers ..........8-1 Offline............23-4 One Minute High ........10-20 One Minute Low........10-20 One to One..........See NAT Quick Start Guide.........2-1 One-Minute High........10-19 Online Registration......... v Operation Temperature .......
  • Page 552 ZyWALL 5 Internet Security Appliance Checklist ..........10-2 STP....... See Spanning Tree Protocol Creating Custom ........10-1 STP (Spanning Tree Protocol) ....1-2 Key Fields ..........10-3 STP Path Costs ..........5-2 LAN to WAN.........10-3 STP Port States..........5-2 Logic ............10-2 STP Terminology ........5-2 Predefined Services......10-15...
  • Page 553 ZyWALL 5 Internet Security Appliance Three-Way Handshake ........ 9-4 VPN..............7-8 Threshold Values ........10-19 VPN Application..........1-6 Time and Date..........1-2 VPN Status..........2-12 Time and Date Setting .... 36-4, 36-5, 36-6 VT100 ............22-1 Time Zone.........21-5, 36-6 Timeout......24-6, 26-3, 26-4, 28-4 TLS .............

Table of Contents