Page 1 ZyWALL 35 Internet Security Appliance User’s Guide Version 3.63 November 2004...
Page 4: Federal Communications Commission (Fcc) Interference Statement
ZyWALL 35 User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5: Zyxel Limited Warranty
ZyWALL 35 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During...
Page 6: Customer Support
ZyWALL 35 User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 7: Table Of Contents
Customer Support....................4 Preface ........................45 Chapter 1 Getting to Know Your ZyWALL ................47 1.1 ZyWALL 35 Internet Security Appliance Overview ..........47 1.2 ZyWALL Features ....................47 1.2.1 Physical Features ..................48 1.2.1.1 Auto-negotiating 10/100 Mbps Ethernet LAN ........48 1.2.1.2 Auto-crossover 10/100 Mbps Ethernet LAN ........48 1.2.1.3 Auto-negotiating 10/100 Mbps Ethernet DMZ ........48...
Page 8 ZyWALL 35 User’s Guide 1.2.2.10 HTTPS ..................50 1.2.2.11 Firewall ..................50 1.2.2.12 Content Filtering ................51 1.2.2.13 Universal Plug and Play (UPnP) ..........51 1.2.2.14 RADIUS (RFC2138, 2139) ............51 1.2.2.15 IEEE 802.1x for Network Security ..........51 1.2.2.16 Wi-Fi Protected Access ..............51 1.2.2.17 Wireless LAN MAC Address Filtering ...........51 1.2.2.18 WEP Encryption ................51...
Page 9 ZyWALL 35 User’s Guide 2.4.4 System Statistics ..................68 2.4.4.1 Show Statistics: Line Chart .............69 2.4.5 DHCP Table Screen .................70 2.4.6 VPN Status ....................71 Chapter 3 Wizard Setup ......................73 3.1 Wizard Setup Overview ..................73 3.2 Internet Access ....................73 3.2.1 ISP Parameters ..................73 3.2.1.1 Ethernet ...................73...
Page 10 ZyWALL 35 User’s Guide 4.2 DHCP Setup .......................97 4.2.1 IP Pool Setup ....................97 4.2.2 DNS Servers .....................97 4.3 LAN TCP/IP ......................98 4.3.1 Factory LAN Defaults ................98 4.3.2 IP Address and Subnet Mask ..............98 4.3.3 RIP Setup ....................98 4.3.4 Multicast ....................99 4.4 Configuring LAN ....................99...
Page 11 ZyWALL 35 User’s Guide 6.11 Wireless Client WPA Supplicants ..............120 6.12 Inserting a PCMCIA/CardBus Wireless LAN Card .........120 6.13 Configuring Wireless LAN ................121 6.13.1 Static WEP ....................122 6.13.2 WPA-PSK .....................123 6.13.3 WPA ......................125 6.13.4 802.1x + Dynamic WEP ................126 6.13.5 802.1x + Static WEP ................127 6.13.6 802.1x + No WEP .................129...
Page 12 ZyWALL 35 User’s Guide 7.11 Configuring Dial Backup .................158 7.12 Advanced Modem Setup ................162 7.12.1 AT Command Strings ................162 7.12.2 DTR Signal ...................162 7.12.3 Response Strings ..................162 7.13 Configuring Advanced Modem Setup ............162 Chapter 8 DMZ Screens ......................165 8.1 DMZ Overview ....................165 8.2 Configuring DMZ ....................165...
Page 13 ZyWALL 35 User’s Guide Chapter 10 Firewall Screens....................185 10.1 Access Methods .....................185 10.2 Firewall Policies Overview ................185 10.3 Rule Logic Overview ..................186 10.3.1 Rule Checklist ..................186 10.3.2 Security Ramifications ................187 10.3.3 Key Fields For Configuring Rules ............187 10.3.3.1 Action ..................187 10.3.3.2 Service ..................187...
Page 14 ZyWALL 35 User’s Guide Chapter 12 Content Filtering Registration and Reports............221 12.1 Introduction to myZyXEL.com ................221 12.1.1 A Note on myZyXEL.com Numbers ............222 12.2 myZyXEL.com Account Registration ..............222 12.3 Registering Your ZyXEL Device ..............224 12.4 Content Filtering Registration .................227 12.5 Checking Content Filtering Activation ............229...
Page 15 ZyWALL 35 User’s Guide 14.5 Summary Screen ...................241 14.6 Keep Alive ......................243 14.7 NAT Traversal ....................243 14.7.1 NAT Traversal Configuration ..............244 14.7.2 X-Auth (Extended Authentication) ............244 14.7.3 Remote DNS Server ................244 14.8 ID Type and Content ..................245 14.8.1 ID Type and Content Examples ............246 14.9 Pre-Shared Key ....................247...
Page 16 ZyWALL 35 User’s Guide 15.14 Importing a Trusted Remote Host’s Certificate ..........286 15.15 Trusted Remote Host Certificate Details ............287 15.16 Directory Servers ..................290 15.17 Add or Edit a Directory Server ..............291 Chapter 16 Network Address Translation (NAT) ..............293 16.1 NAT Overview ....................293 16.1.1 NAT Definitions ..................293...
Page 17 ZyWALL 35 User’s Guide Chapter 19 Bandwidth Management ..................321 19.1 Bandwidth Management Overview ..............321 19.2 Bandwidth Classes and Filters ...............321 19.3 Proportional Bandwidth Allocation ..............322 19.4 Bandwidth Management Usage Examples ............322 19.4.1 Application-based Bandwidth Management Example ......322 19.4.2 Subnet-based Bandwidth Management Example .........322 19.4.3 Application and Subnet-based Bandwidth Management Example ..323...
Page 18 ZyWALL 35 User’s Guide Chapter 21 Remote Management ................... 351 21.1 Remote Management Overview ..............351 21.1.1 Remote Management Limitations ............352 21.1.2 Remote Management and NAT ............352 21.1.3 System Timeout ...................352 21.2 Introduction to HTTPS ..................352 21.3 Configuring WWW ..................353 21.4 HTTPS Example ....................355 21.4.1 Internet Explorer Warning Messages ...........355...
Page 19 ZyWALL 35 User’s Guide 22.5.1 Installing UPnP in Windows Me ............379 22.5.2 Installing UPnP in Windows XP ............380 22.6 Using UPnP in Windows XP Example ............380 22.6.1 Auto-discover Your UPnP-enabled Network Device ......381 22.6.2 Web Configurator Easy Access ............382 Chapter 23 Logs Screens......................
Page 20 ZyWALL 35 User’s Guide 25.3.2 SMT Menus at a Glance ...............415 25.4 Changing the System Password ..............416 25.5 Resetting the ZyWALL ...................417 Chapter 26 SMT Menu 1 - General Setup................419 26.1 Introduction to General Setup ................419 26.2 Configuring General Setup ................419 26.2.1 Configuring Dynamic DNS ..............421...
Page 21 ZyWALL 35 User’s Guide Chapter 30 DMZ Setup ......................449 30.1 Configuring DMZ Setup ..................449 30.2 DMZ Port Filter Setup ..................449 30.3 TCP/IP Setup ....................449 30.3.1 IP Address ....................450 30.3.2 IP Alias Setup ..................450 Chapter 31 Route Setup ......................453 31.1 Configuring Route Setup ................453...
Page 22 ZyWALL 35 User’s Guide 34.3 Configuring a Server behind NAT ..............476 34.4 General NAT Examples ..................479 34.4.1 Internet Access Only ................479 34.4.2 Example 2: Internet Access with an Default Server ......480 34.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .....480 34.4.4 Example 4: NAT Unfriendly Application Programs .......484...
Page 23 ZyWALL 35 User’s Guide 38.4.1 Viewing Error Log .................511 38.4.2 UNIX Syslog ..................512 38.4.3 Call-Triggering Packet ................515 38.5 Diagnostic ......................515 38.5.1 WAN DHCP ..................516 Chapter 39 Firmware and Configuration File Maintenance ..........519 39.1 Introduction ....................519 39.2 Filename Conventions ...................519 39.3 Backup Configuration ..................520...
Page 24 ZyWALL 35 User’s Guide 40.2.1 Budget Management ................537 40.2.2 Call History ...................538 40.3 Time and Date Setting ..................539 40.3.1 Resetting the Time ................542 Chapter 41 Remote Management ................... 543 41.1 Remote Management ..................543 41.1.1 Remote Management Limitations ............545 Chapter 42 IP Policy Routing....................
Page 25 ZyWALL 35 User’s Guide 46.6 Problems with the Password ................579 46.7 Problems with Remote Management .............579 Appendix A Hardware Specifications ..................581 Appendix B Setting up Your Computer’s IP Address............585 Appendix C IP Subnetting ......................597 Appendix D PPPoE ........................605 Appendix E PPTP........................
Page 26 ZyWALL 35 User’s Guide Certificates Commands ..................665 Appendix Q Brute-Force Password Guessing Protection............. 669 Appendix R Boot Commands ....................671 Appendix S Log Descriptions....................673...
Page 27 ZyWALL 35 User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........ 55 Figure 2 VPN Application ....................56 Figure 3 Change Password Screen ..................58 Figure 4 Replace Certificate Screen ................... 58 Figure 5 Example Xmodem Upload ..................
Page 28 ZyWALL 35 User’s Guide Figure 37 Wireless: Static WEP ..................123 Figure 38 Wireless: WPA-PSK .................... 124 Figure 39 Wireless: WPA ....................125 Figure 40 Wireless: 802.1x + Dynamic WEP ..............126 Figure 41 Wireless: 802.1x + Static WEP ................128 Figure 42 Wireless: 802.1x + No WEP ................
Page 29 ZyWALL 35 User’s Guide Figure 80 Creating/Editing A Custom Service ..............196 Figure 81 Rule Summary ....................197 Figure 82 Rule Edit Example ....................198 Figure 83 Edit Custom Service Example ................198 Figure 84 My Service Rule Configuration ................199 Figure 85 My Service Example Rule Summary ..............
Page 30 ZyWALL 35 User’s Guide Figure 123 Global Setting ....................263 Figure 124 Telecommuters Sharing One VPN Rule Example ..........264 Figure 125 Telecommuters Using Unique VPN Rules Example ......... 265 Figure 126 Certificate Configuration Overview ..............268 Figure 127 My Certificates ....................269 Figure 128 My Certificate Import ..................
Page 31 ZyWALL 35 User’s Guide Figure 166 Bandwidth Manager Monitor ................334 Figure 167 Private DNS Server Example ................339 Figure 168 System ......................340 Figure 169 System: Add ...................... 341 Figure 170 System: Insert ....................342 Figure 171 Cache ........................ 344 Figure 172 LAN DNS ......................
Page 32 ZyWALL 35 User’s Guide Figure 209 Synchronization in Process ................400 Figure 210 Synchronization is Successful ................401 Figure 211 Synchronization Fail ..................401 Figure 212 Device Mode (Router Mode) ................402 Figure 213 Device Mode (Bridge Mode) ................403 Figure 214 Firmware Upload ....................
Page 33 ZyWALL 35 User’s Guide Figure 252 Internet Access Setup (PPPoE) ................ 448 Figure 253 Menu 5: DMZ Setup ..................449 Figure 254 Menu 5.1: DMZ Port Filter Setup ..............449 Figure 255 Menu 5: TCP/IP Setup ..................450 Figure 256 Menu 5.2: TCP/IP Setup ................... 450 Figure 257 Menu 5.2.1: IP Alias Setup ................
Page 34 ZyWALL 35 User’s Guide Figure 294 Menu 15.3.1: Trigger Port Setup ............... 487 Figure 295 Menu 21: Filter and Firewall Setup ..............489 Figure 296 Menu 21.2: Firewall Setup ................490 Figure 297 Outgoing Packet Filtering Process ..............491 Figure 298 Filter Rule Process .................... 493 Figure 299 Menu 21: Filter and Firewall Setup ..............
Page 35 ZyWALL 35 User’s Guide Figure 337 FTP Session Example of Firmware File Upload ..........530 Figure 338 Menu 24.7.1 As Seen Using the Console Port ..........532 Figure 339 Example Xmodem Upload ................532 Figure 340 Menu 24.7.2 As Seen Using the Console Port ..........533 Figure 341 Example Xmodem Upload ................
Page 36 ZyWALL 35 User’s Guide Figure 380 Macintosh OS X: Apple Menu ................594 Figure 381 Macintosh OS X: Network ................. 595 Figure 382 Single-Computer per Router Hardware Configuration ........606 Figure 383 ZyWALL as a PPPoE Client ................606 Figure 384 Transport PPP frames over Ethernet ............... 607 Figure 385 PPTP Protocol Overview ..................
Page 37 ZyWALL 35 User’s Guide Figure 423 Personal Certificate Import Wizard 3 ..............649 Figure 424 Personal Certificate Import Wizard 4 ..............649 Figure 425 Personal Certificate Import Wizard 5 ..............650 Figure 426 Personal Certificate Import Wizard 6 ..............650 Figure 427 Access the ZyWALL Via HTTPS ...............
Page 38 ZyWALL 35 User’s Guide...
Page 39 ZyWALL 35 User’s Guide List of Tables Table 1 Feature Specifications ................... 47 Table 2 Web Configurator HOME Screen in Router Mode ..........61 Table 3 Web Configurator HOME Screen in Bridge Mode ..........64 Table 4 Feature Comparison ....................65 Table 5 Screens Summary ....................
Page 40 ZyWALL 35 User’s Guide Table 37 MAC Address Filter ..................... 132 Table 38 Local User Database ................... 137 Table 39 RADIUS ....................... 138 Table 40 Least Load First: Example 1 ................141 Table 41 Least Load First: Example 2 ................141 Table 42 General ........................
Page 41 ZyWALL 35 User’s Guide Table 80 SA Monitor ......................262 Table 81 Global Setting ...................... 263 Table 82 Telecommuters Sharing One VPN Rule Example ..........264 Table 83 Telecommuters Using Unique VPN Rules Example ..........265 Table 84 My Certificates ..................... 269 Table 85 My Certificate Import ...................
Page 42 ZyWALL 35 User’s Guide Table 123 Telnet ......................... 366 Table 124 FTP ........................367 Table 125 SNMP Traps ...................... 369 Table 126 SNMP ........................ 370 Table 127 DNS ........................371 Table 128 CNM ........................372 Table 129 Configuring UPnP ....................376 Table 130 UPnP Ports ......................
Page 43 ZyWALL 35 User’s Guide Table 166 Menu 3.5.1: WLAN MAC Address Filter ............444 Table 167 Menu 4: Internet Access Setup (Ethernet) ............446 Table 168 New Fields in Menu 4 (PPTP) Screen ............... 447 Table 169 New Fields in Menu 4 (PPPoE) screen ............. 448 Table 170 Menu 6.1: Route Assessment ................
Page 44 ZyWALL 35 User’s Guide Table 209 Menu 27.1.1.1: IKE Setup ................. 568 Table 210 Active Protocol: Encapsulation and Security Protocol ........569 Table 211 Menu 27.1.1.2: Manual Setup ................570 Table 212 Menu 27.2: SA Monitor ..................574 Table 213 Troubleshooting the Start-Up of Your ZyWALL ..........577 Table 214 Troubleshooting the LAN Interface ..............
Page 45 ZyWALL 35 User’s Guide Table 252 ICMP Logs ......................675 Table 253 CDR Logs ......................676 Table 254 PPP Logs ......................676 Table 255 UPnP Logs ......................677 Table 256 Content Filtering Logs ..................677 Table 257 Attack Logs ......................678 Table 258 IPSec Logs ......................
Page 46 ZyWALL 35 User’s Guide...
Page 47: Preface
Help us help you! E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
Page 48: Syntax Conventions
ZyWALL 35 User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
Page 49: Getting To Know Your Zywall
This chapter introduces the main features and applications of the ZyWALL. ZyWALL 35 Internet Security Appliance Overview The ZyWALL 35 is the ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall, content filtering, certificates and VPN capability, ZyXEL’s ZyWALL is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 50: Physical Features
ZyWALL 35 User’s Guide Table 1 Feature Specifications FEATURE SPECIFICATION Number of Address Mapping Rules Number of IPSec VPN Tunnels/Security Associations 1.2.1 Physical Features 1.2.1.1 Auto-negotiating 10/100 Mbps Ethernet LAN The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet.
Page 51: Dial Backup Wan
ZyWALL 35 User’s Guide 1.2.1.8 Dial Backup WAN The dial backup port can be used in reserve as a traditional dial-up connection when/if ever the WAN 1, 2 and traffic redirect connections fail. 1.2.1.9 Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL.
Page 52: Stp (Spanning Tree Protocol) / Rstp (Rapid Stp)
ZyWALL 35 User’s Guide 1.2.2.4 STP (Spanning Tree Protocol) / RSTP (Rapid STP) When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network.
Page 53: Content Filtering
ZyWALL 35 User’s Guide 1.2.2.12 Content Filtering The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyWALL can block or allow access to web sites that you specify. The ZyWALL can also block access to web sites containing keywords that you specify.
Page 54: Call Scheduling
ZyWALL 35 User’s Guide 1.2.2.20 Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes. 1.2.2.21 PPPoE PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high- speed data networks via a familiar "dial-up networking" user interface.
Page 55: Central Network Management
ZyWALL 35 User’s Guide 1.2.2.27 Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL. The enterprise or service provider network administrator can configure your ZyWALL, perform firmware upgrades and do troubleshooting for you.
Page 56: Full Network Management
ZyWALL 35 User’s Guide 1.2.2.33 Full Network Management The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyWALL’s management interface. Most functions of the ZyWALL are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 57: Vpn Application
ZyWALL 35 User’s Guide Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites.
Page 58: Figure 2 Vpn Application
ZyWALL 35 User’s Guide Figure 2 VPN Application Chapter 1 Getting to Know Your ZyWALL...
Page 59: Introducing The Web Configurator
ZyWALL 35 User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The embedded web configurator allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.
Page 60: Figure 3 Change Password Screen
ZyWALL 35 User’s Guide Figure 3 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
Page 61: Resetting The Zywall
ZyWALL 35 User’s Guide 2.3 Resetting the ZyWALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory- default configuration file.
Page 62: Navigating The Zywall Web Configurator
ZyWALL 35 User’s Guide Figure 5 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 6 After successful firmware upload, enter "atgo" to restart the router. 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen.
Page 63: Figure 6 Web Configurator Home Screen In Router Mode
ZyWALL 35 User’s Guide Figure 6 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features. Click LOGOUT at any time to exit the web configurator. Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/ firmware files.
Page 64 ZyWALL 35 User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION System Name This is the System Name you enter in the MAINTENANCE General screen. It is for identification purposes. Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design.
Page 65: Bridge Mode
ZyWALL 35 User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Show Statistics Click Show Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port, including WAN1, WAN2, Dial Backup, LAN, WLAN and DMZ.
Page 66: Figure 7 Web Configurator Home Screen In Bridge Mode
ZyWALL 35 User’s Guide Figure 7 Web Configurator HOME Screen in Bridge Mode The following table describes the labels not previously discussed (see Table Table 3 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Network Status IP Address This is the IP address of your ZyWALL in dotted decimal notation.
Page 67: Navigation Panel
ZyWALL 35 User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Bridge Port This is the port type. Port types are: WAN1, WAN2, LAN, WLAN and DMZ. Port Status For the WAN, LAN, and DMZ ports, this displays the port speed and duplex setting.
Page 68: Table 5 Screens Summary
ZyWALL 35 User’s Guide Table 4 Feature Comparison FEATURE BRIDGE MODE ROUTER MODE Remote Management UPnP Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 69 ZyWALL 35 User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION Categories Use this screen to select which categories of web pages to filter out, as well as to register for external database content filtering and view reports. Customization Use this screen to customize the content filter list.
Page 70: System Statistics
ZyWALL 35 User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION TELNET Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyWALL. Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyWALL.
Page 71: Show Statistics: Line Chart
ZyWALL 35 User’s Guide Figure 8 Home : Show Statistics The following table describes the labels in this screen. Table 6 Home : Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port This is the WAN1, WAN2, Dial Backup, LAN, DMZ or WLAN port.
Page 72: Dhcp Table Screen
ZyWALL 35 User’s Guide Figure 9 Home : Show Statistics: Line Chart The following table describes the labels in this screen. Table 7 Home : Show Statistics: Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen.
Page 73: Vpn Status
ZyWALL 35 User’s Guide Figure 10 Home : DHCP Table The following table describes the labels in this screen. Table 8 Home : DHCP Table LABEL DESCRIPTION This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above.
Page 74: Figure 11 Home : Vpn Status
ZyWALL 35 User’s Guide Figure 11 Home : VPN Status The following table describes the labels in this screen. Table 9 Home : VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy.
Page 75: Chapter 3 Wizard Setup
ZyWALL 35 User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. This chapter is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure WAN1 on the ZyWALL to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
Page 76: Figure 12 Isp Parameters : Ethernet Encapsulation
ZyWALL 35 User’s Guide Figure 12 ISP Parameters : Ethernet Encapsulation The following table describes the labels in this screen. Table 10 ISP Parameters : Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 77: Pppoe Encapsulation
ZyWALL 35 User’s Guide 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to achieve access to high-speed data networks.
Page 78: Pptp Encapsulation
ZyWALL 35 User’s Guide Figure 13 ISP Parameters : PPPoE Encapsulation The following table describes the labels in this screen. Table 11 ISP Parameters : PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection.
Page 79: Figure 14 Isp Parameters : Pptp Encapsulation
ZyWALL 35 User’s Guide PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. Refer to Appendix E PPTP for more information on PPTP. Note: The ZYWALL supports one PPTP server connection at any given time.
Page 80: Wan And Dns
ZyWALL 35 User’s Guide Table 12 ISP Parameters : PPTP Encapsulation ESCRIPTION LABEL My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Page 81: Dns Server Address Assignment
ZyWALL 35 User’s Guide Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
Page 82: Figure 15 Wan And Dns
ZyWALL 35 User’s Guide You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom"...
Page 83: Internet Access Wizard Setup Complete
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 15 WAN and DNS LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Page 84: Vpn Overview
ZyWALL 35 User’s Guide Figure 16 Internet Access Wizard Setup Complete 3.3 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 85: My Ip Address
ZyWALL 35 User’s Guide 3.4.1 My IP Address My IP Address identifies the WAN IP address of the ZyWALL. You can enter the ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0. The ZyWALL has to rebuild the VPN tunnel if the My IP Address changes after setup.
Page 86: Figure 17 Vpn Wizard : Gateway Setting
ZyWALL 35 User’s Guide Figure 17 VPN Wizard : Gateway Setting The following table describes the labels in this screen. Table 16 VPN Wizard : Gateway Setting LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL or leave the field set to 0.0.0.0.
Page 87: Network Setting
ZyWALL 35 User’s Guide 3.4.3 Network Setting Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Page 88: Ike Phases
ZyWALL 35 User’s Guide Table 17 VPN Wizard : Network Setting LABEL DESCRIPTION Starting IP When the Remote Network field is configured to Single, enter a (static) IP address Address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 89: Negotiation Mode
ZyWALL 35 User’s Guide • Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
Page 90: Diffie-Hellman (Dh) Key Groups
ZyWALL 35 User’s Guide 3.4.4.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –...
Page 91: Table 18 Esp And Ah
ZyWALL 35 User’s Guide An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 18 ESP and AH Encryption DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key.
Page 92: Ike Tunnel Setting (Ike Phase 1)
ZyWALL 35 User’s Guide 3.5.3 IKE Tunnel Setting (IKE Phase 1) Figure 20 VPN Wizard : IKE Tunnel Setting The following table describes the labels in this screen. Table 19 VPN Wizard : IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Use the radio buttons to select Main Mode or Aggressive Mode.
Page 93: Ipsec Setting (Ike Phase 2)
ZyWALL 35 User’s Guide Table 19 VPN Wizard : IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared"...
Page 94: Vpn Status Summary
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 20 VPN Wizard : IPSec Setting LABEL DESCRIPTION Encapsulation Mode Select Tunnel mode or Transport mode. IPSec Protocol Select the security protocols used for an SA.
Page 95: Figure 22 Vpn Wizard : Vpn Status
ZyWALL 35 User’s Guide Figure 22 VPN Wizard : VPN Status The following table describes the labels in this screen. Table 21 VPN Wizard : VPN Status LABEL DESCRIPTION Gateway Setting My IP Address This is the WAN IP address of your ZyWALL.
Page 96: Vpn Wizard Setup Complete
ZyWALL 35 User’s Guide Table 21 VPN Wizard : VPN Status (continued) LABEL DESCRIPTION Starting IP Address This is a (static) IP address on the network behind the remote IPSec router. Ending IP Address/ When the remote network is configured for a single IP address, this field is N/A.
Page 97: Figure 23 Vpn Wizard Setup Complete
ZyWALL 35 User’s Guide Figure 23 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
Page 98 ZyWALL 35 User’s Guide Chapter 3 Wizard Setup...
Page 99: Chapter 4 Lan Screens
ZyWALL 35 User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 4.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached.
Page 100: Lan Tcp/Ip
ZyWALL 35 User’s Guide 4.3 LAN TCP/IP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 4.3.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: •...
Page 101: Multicast
ZyWALL 35 User’s Guide 4.3.4 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.
Page 102: Figure 24 Lan
ZyWALL 35 User’s Guide Figure 24 LAN The following table describes the labels in this screen. Table 22 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 103: Configuring Static Dhcp
ZyWALL 35 User’s Guide Table 22 LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Page 104: Configuring Ip Alias
ZyWALL 35 User’s Guide To change your ZyWALL’s static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown. Figure 25 Static DHCP The following table describes the labels in this screen. Table 23 Static DHCP...
Page 105: Figure 26 Physical Network & Partitioned Logical Networks
ZyWALL 35 User’s Guide When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). Note: Make sure that the subnets of the logical networks do not overlap. The following figure shows a LAN divided into subnets A, B, and C.
Page 106: Configuring Port Roles
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 24 IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL' in dotted decimal notation.
Page 107: Figure 28 Port Roles
ZyWALL 35 User’s Guide Figure 28 Port Roles After you change the LAN/DMZ port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 29 Port Roles Change Complete...
Page 108 ZyWALL 35 User’s Guide Chapter 4 LAN Screens...
Page 109: Chapter 5 Bridge Screens
ZyWALL 35 User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 5.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers.
Page 110: Rapid Stp
ZyWALL 35 User’s Guide 5.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database.
Page 111: Stp Port States
ZyWALL 35 User’s Guide Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Page 112: Figure 31 Bridge
ZyWALL 35 User’s Guide Figure 31 Bridge The following table describes the labels in this screen. Table 27 Bridge LABEL DESCRIPTION Bridge Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 113: Configuring Port Roles
ZyWALL 35 User’s Guide Table 27 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest.
Page 114 ZyWALL 35 User’s Guide Chapter 5 Bridge Screens...
Page 115: Wireless Lan And Authentication Server
ZyWALL 35 User’s Guide H A P T E R Wireless LAN and Authentication Server This chapter discusses how to configure Wireless LAN and Auth Server on the ZyWALL. 6.1 Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios.
Page 116: Rts/Cts
ZyWALL 35 User’s Guide 6.2.3 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot hear each other, that is they do not know if the channel is currently being used.
Page 117: Fragmentation Threshold
ZyWALL 35 User’s Guide 6.2.4 Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the ZyWALL will fragment the packet into smaller data frames.
Page 118: Security Parameters Summary
ZyWALL 35 User’s Guide Use the ZyWALL web configurator to configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator. 6.4 Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type.
Page 119: Overview
ZyWALL 35 User’s Guide 6.6 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.
Page 120: Encryption
ZyWALL 35 User’s Guide Therefore, if you don't have an external RADIUS server you should use WPA-PSK (WPA - Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.
Page 121: Wpa With Radius Application Example
ZyWALL 35 User’s Guide 3 The AP derives and distributes keys to the wireless clients. 4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged between them. Figure 34 WPA-PSK Authentication 6.10 WPA with RADIUS Application Example You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret.
Page 122: Wireless Client Wpa Supplicants
ZyWALL 35 User’s Guide Figure 35 WPA with RADIUS Application Example 6.11 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
Page 123: Configuring Wireless Lan
ZyWALL 35 User’s Guide 3 With its pin connector facing the slot and the LED side facing upwards, slide the ZyAIR wireless LAN card into the slot. Note: Never force, bend or twist the wireless LAN card into the slot.
Page 124: Static Wep
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 29 Wireless: No Security LABEL DESCRIPTION Enable The wireless LAN is turned off by default, before you enable the wireless LAN you Wireless LAN should configure some security by setting MAC filters and/or 802.1x security;...
Page 125: Wpa-Psk
ZyWALL 35 User’s Guide Figure 37 Wireless: Static WEP The following table describes the wireless LAN security labels in this screen. Table 30 Wireless: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized Encryption wireless stations from accessing data transmitted over the wireless network.
Page 126: Figure 38 Wireless: Wpa-Psk
ZyWALL 35 User’s Guide Figure 38 Wireless: WPA-PSK The following fields are only available when you select WPA-PSK in the Security drop down list-box. Table 31 Wireless: WPA-PSK LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list. Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Page 127: Wpa
ZyWALL 35 User’s Guide Table 31 Wireless: WPA-PSK (continued) LABEL DESCRIPTION WPA Group Key The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK Update Timer key management) or RADIUS server (if using WPA key management) sends a new (Seconds) group key out to all clients.
Page 128: Dynamic Wep
ZyWALL 35 User’s Guide Table 32 Wireless: WPA (continued) LABEL DESCRIPTION Idle Timeout The ZyWALL automatically disconnects a wireless station from the wired network (Seconds) after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 129: Static Wep
ZyWALL 35 User’s Guide The following fields are only available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 33 Wireless: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select WPA from the drop-down list. ReAuthentication...
Page 130: Figure 41 Wireless: 802.1X + Static Wep
ZyWALL 35 User’s Guide Figure 41 Wireless: 802.1x + Static WEP The following table describes the wireless LAN security labels in this screen. Table 34 Wireless: 802.1x + Static WEP LABEL DESCRIPTION Security Select 802.1x + Static WEP from the drop-down list.
Page 131: No Wep
ZyWALL 35 User’s Guide Table 34 Wireless: 802.1x + Static WEP (continued) LABEL DESCRIPTION Authentication Click Local User to go to the Local User Database screen where you can view and/or Databases edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where...
Page 132: No Access 802.1X + Static Wep
ZyWALL 35 User’s Guide Table 35 Wireless: 802.1x + No WEP (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 6.13.7 No Access 802.1x + Static WEP Select No Access 802.1x + Static WEP to deny all wireless stations access to your wired...
Page 133: No Access 802.1X + No Wep
ZyWALL 35 User’s Guide Table 36 Wireless: No Access 802.1x + Static WEP (continued) LABEL DESCRIPTION Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Page 134: Figure 44 Mac Address Filter
ZyWALL 35 User’s Guide Figure 44 MAC Address Filter The following table describes the labels in this menu. Table 37 MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to enable or disable MAC address filtering. Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 135: Introduction To Radius
ZyWALL 35 User’s Guide 6.15 Introduction to RADIUS RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks among others: •...
Page 136: Eap Authentication Overview
ZyWALL 35 User’s Guide 6.15.2 EAP Authentication Overview EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.
Page 137: Authentication Server
ZyWALL 35 User’s Guide 6.17 Authentication Server A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security.
Page 138: Figure 46 Local User Database
ZyWALL 35 User’s Guide Figure 46 Local User Database Chapter 6 Wireless LAN and Authentication Server...
Page 139: Configuring Radius
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 38 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile.
Page 140: Table 39 Radius
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 39 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
Page 141: Chapter 7 Wan Screens
ZyWALL 35 User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. 7.1 WAN Overview Chapter 3 Wizard Setup for more information on the fields in the WAN screens. 7.2 Multiple WAN You can use a second connection for load sharing to increase overall network throughput or as a backup to enhance network reliability.
Page 142: Load Balancing Introduction
ZyWALL 35 User’s Guide 7.3 Load Balancing Introduction On the ZyWALL, load balancing is the process of dividing traffic loads between the two WAN interfaces (or ports). This allows you to improve quality of services and maximize bandwidth utilization. See also policy routing to provide quality of service by dedicating a route for a specific traffic type and bandwidth management to specify a set amount of bandwidth for a specific traffic type on an interface.
Page 143: Example 2
ZyWALL 35 User’s Guide Figure 48 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below.
Page 144: Weighted Round Robin
ZyWALL 35 User’s Guide 7.4.2 Weighted Round Robin Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.
Page 145: Tcp/Ip Priority (Metric)
ZyWALL 35 User’s Guide Figure 50 Spillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
Page 146: Figure 51 General
ZyWALL 35 User’s Guide Figure 51 General Chapter 7 WAN Screens...
Page 147: Table 42 General
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 42 General LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN port as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN port (depending on the priorities you configure in the Route Priority fields).
Page 148: Configuring Load Balancing
ZyWALL 35 User’s Guide Table 42 General (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity port's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN port's default gateway IP address.
Page 149: Weighted Round Robin
ZyWALL 35 User’s Guide Figure 52 Load Balancing: Least Load First The following table describes the related fields in this screen. Table 43 Load Balancing: Least Load First LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 150: Spillover
ZyWALL 35 User’s Guide Figure 53 Load Balancing: Weighted Round Robin The following table describes the related fields in this screen. Table 44 Load Balancing: Weighted Round Robin LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 151: Configuring Wan Setup
ZyWALL 35 User’s Guide Figure 54 Load Balancing: Spillover The following table describes the related fields in this screen. Table 45 Load Balancing: Spillover LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 152: Ethernet Encapsulation
ZyWALL 35 User’s Guide 7.8.1 Ethernet Encapsulation The screen shown next is for Ethernet encapsulation. Figure 55 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 46 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet...
Page 153 ZyWALL 35 User’s Guide Table 46 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR- Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login. The following fields do not appear with the Standard service type.
Page 154: Pppoe Encapsulation
ZyWALL 35 User’s Guide Table 46 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 155: Figure 56 Wan: Pppoe Encapsulation
ZyWALL 35 User’s Guide create and offer new IP services for individuals. Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task.
Page 156: Pptp Encapsulation
ZyWALL 35 User’s Guide The following table describes the labels not previously discussed. Table 47 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Page 157: Figure 57 Wan: Pptp Encapsulation
ZyWALL 35 User’s Guide Figure 57 WAN: PPTP Encapsulation Chapter 7 WAN Screens...
Page 158: Traffic Redirect
ZyWALL 35 User’s Guide The following table describes the labels not previously discussed. Table 48 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 159: Configuring Traffic Redirect
ZyWALL 35 User’s Guide Figure 58 Traffic Redirect WAN Setup The following network topology allows you to avoid triangle route security issues (see Appendix I Triangle Route) when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network.
Page 160: Configuring Dial Backup
ZyWALL 35 User’s Guide Figure 60 Traffic Redirect The following table describes the labels in this screen. Table 49 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 161: Figure 61 Dial Backup Setup
ZyWALL 35 User’s Guide Figure 61 Dial Backup Setup Chapter 7 WAN Screens...
Page 162: Table 50 Dial Backup Setup
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 50 Dial Backup Setup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 163 ZyWALL 35 User’s Guide Table 50 Dial Backup Setup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
Page 164: Advanced Modem Setup
ZyWALL 35 User’s Guide Table 50 Dial Backup Setup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.12 Advanced Modem Setup 7.12.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
Page 165: Figure 62 Advanced Setup
ZyWALL 35 User’s Guide Figure 62 Advanced Setup The following table describes the labels in this screen. Table 51 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 166 ZyWALL 35 User’s Guide Table 51 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 167: Chapter 8 Dmz Screens
ZyWALL 35 User’s Guide H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 8.1 DMZ Overview The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 168: Figure 63 Dmz
ZyWALL 35 User’s Guide From the main menu, click DMZ. The screen appears as shown next. Figure 63 DMZ The following table describes the labels in this screen. Table 52 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation.
Page 169: Configuring Ip Alias
ZyWALL 35 User’s Guide Table 52 DMZ (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Page 170: Figure 64 Ip Alias
ZyWALL 35 User’s Guide Figure 64 IP Alias The following table describes the labels in this screen. Table 53 IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another DMZ network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Page 171: Dmz Public Ip Address Example
ZyWALL 35 User’s Guide Table 53 IP Alias (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.4 DMZ Public IP Address Example The following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN.
Page 172: Configuring Port Roles
ZyWALL 35 User’s Guide Configure both DMZ and DMZ IP alias to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. Figure 66 DMZ Private and Public Address Example 8.6 Configuring Port Roles To configure a LAN/DMZ port as a LAN or DMZ port, select its radio button next to LAN or DMZ and click Apply.
Page 173: Figure 67 Port Roles
ZyWALL 35 User’s Guide Figure 67 Port Roles After you change the LAN/DMZ port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 68 Port Roles Change Complete...
Page 174 ZyWALL 35 User’s Guide Chapter 8 DMZ Screens...
Page 175: Chapter 9 Firewalls
ZyWALL 35 User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 9.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 176: Stateful Inspection Firewalls
ZyWALL 35 User’s Guide 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. 2 Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 177: Denial Of Service
ZyWALL 35 User’s Guide Figure 69 ZyWALL Firewall Application 9.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 178: Types Of Dos Attacks
ZyWALL 35 User’s Guide 9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
Page 179: Figure 71 Syn Flood
ZyWALL 35 User’s Guide response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake.
Page 180: Icmp Vulnerability
ZyWALL 35 User’s Guide Figure 72 Smurf Attack 9.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 55 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 9.4.2.2 Illegal Commands (NetBIOS and SMTP)
Page 181: Traceroute
ZyWALL 35 User’s Guide All SMTP commands are illegal except for those displayed in the following tables. Table 57 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY 9.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
Page 182: Stateful Inspection Process
ZyWALL 35 User’s Guide Figure 73 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 183: Stateful Inspection And The Zywall
ZyWALL 35 User’s Guide temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection. 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
Page 184: Udp/Icmp Security
ZyWALL 35 User’s Guide If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
Page 185: Guidelines For Enhancing Security With Your Firewall
ZyWALL 35 User’s Guide Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator’s Custom Services feature to do this. 9.6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web configurator.
Page 186: Firewall
ZyWALL 35 User’s Guide 9.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.
Page 187: Chapter 10 Firewall Screens
ZyWALL 35 User’s Guide H A P T E R Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 10.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.
Page 188: Rule Logic Overview
ZyWALL 35 User’s Guide • WAN to LAN • WAN to WAN/ZyWALL This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN •...
Page 189: Security Ramifications
ZyWALL 35 User’s Guide 4 What IP services will be affected? 5 What computers on the LAN or DMZ are to be affected (if any)? 6 What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 190: Destination Address
ZyWALL 35 User’s Guide 10.3.3.4 Destination Address What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? 10.4 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN.
Page 191: Alerts
ZyWALL 35 User’s Guide Figure 75 WAN to LAN Traffic 10.5 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when a rule is matched in the Edit Rule screen...
Page 192: Figure 76 Default Rule (Router Mode)
ZyWALL 35 User’s Guide Figure 76 Default Rule (Router Mode) The following table describes the labels in this screen. Table 58 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 193: Figure 77 Default Rule (Bridge Mode)
ZyWALL 35 User’s Guide Figure 77 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 59 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 194: Rule Summary
ZyWALL 35 User’s Guide 10.6.1 Rule Summary Note: The ordering of your rules is very important as rules are applied in turn. Click FIREWALL, then the Rule Summary tab to open the screen. Figure 78 Rule Summary The following table describes the labels in this screen.
Page 195: Configuring Firewall Rules
ZyWALL 35 User’s Guide Table 60 Rule Summary LABEL DESCRIPTION Source Address This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Page 196: Figure 79 Creating/Editing A Firewall Rule
ZyWALL 35 User’s Guide Figure 79 Creating/Editing A Firewall Rule Chapter 10 Firewall Screens...
Page 197: Table 61 Creating/Editing A Firewall Rule
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 61 Creating/Editing A Firewall Rule LABEL DESCRIPTION Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address?
Page 198: Configuring Custom Services
ZyWALL 35 User’s Guide Table 61 Creating/Editing A Firewall Rule LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 10.6.3 Configuring Custom Services Configure customized ports for services not predefined by the ZyWALL...
Page 199: Figure 81 Rule Summary
ZyWALL 35 User’s Guide 1 Click the FIREWALL link and then the Rule Summary tab. Select WAN to LAN from the Packet Direction drop-down list box. Figure 81 Rule Summary 2 In the Rule Summary screen, type the index number for where you want to put the rule.
Page 200: Figure 82 Rule Edit Example
ZyWALL 35 User’s Guide Figure 82 Rule Edit Example 6 In the Edit Rule screen, click Add under Custom Service to open the Edit Custom Service screen. Configure it as follows and click Apply. Figure 83 Edit Custom Service Example 7 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.
Page 201: Figure 84 My Service Rule Configuration
ZyWALL 35 User’s Guide Figure 84 My Service Rule Configuration Chapter 10 Firewall Screens...
Page 202: Predefined Services
ZyWALL 35 User’s Guide Figure 85 My Service Example Rule Summary Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. 10.8 Predefined Services The Available Services list box in the Edit Rule screen...
Page 203 ZyWALL 35 User’s Guide Table 63 Predefined Services (continued) SERVICE DESCRIPTION FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 204: Anti-Probing
ZyWALL 35 User’s Guide Table 63 Predefined Services (continued) SERVICE DESCRIPTION RTELNET(TCP:107) Remote Telnet. RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115) Simple File Transfer Protocol. SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet.
Page 205: Configuring Attack Alert
ZyWALL 35 User’s Guide Figure 86 Anti-Probing The following table describes the labels in this screen. Table 64 Anti-Probing LABEL DESCRIPTION Respond to PING The ZyWALL does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests.
Page 206: Threshold Values
ZyWALL 35 User’s Guide 10.10.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1 The maximum number of opened sessions.
Page 207: Figure 87 Firewall Threshold
ZyWALL 35 User’s Guide Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the following methods: 1 If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host.
Page 208 ZyWALL 35 User’s Guide Table 65 Firewall Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
Page 209: Content Filtering Screens
ZyWALL 35 User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 11.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or restrict specific websites. With content filtering, you can do the following: 11.1.1 Restrict Web Features...
Page 210: Figure 88 Content Filter : General
ZyWALL 35 User’s Guide Figure 88 Content Filter : General The following table describes the labels in this screen. Table 66 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter.
Page 211 ZyWALL 35 User’s Guide Table 66 Content Filter : General LABEL DESCRIPTION Cookies Cookies are files stored on a computer’s hard drive. Some web servers use them to track usage and provide service based on ID. Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service.
Page 212: Content Filtering With An External Database
ZyWALL 35 User’s Guide 11.3 Content Filtering with an External Database When you register for and enable external database content filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.
Page 213: Figure 90 Content Filter : Categories
ZyWALL 35 User’s Guide Figure 90 Content Filter : Categories The following table describes the labels in this screen. Table 67 Content Filter : Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an...
Page 214 ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web...
Page 215 ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 216 ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 217 ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 218 ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
Page 219: Customization
ZyWALL 35 User’s Guide Table 67 Content Filter : Categories (continued) LABEL DESCRIPTION Register Click Register to go to a web site where you can register for category- based content filtering (using an external database). You can use a trial application or register your iCard’s PIN.
Page 220: Figure 91 Content Filter : Customization
ZyWALL 35 User’s Guide Figure 91 Content Filter : Customization The following table describes the labels in this screen. Table 68 Content Filter : Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
Page 221 ZyWALL 35 User’s Guide Table 68 Content Filter : Customization (continued) LABEL DESCRIPTION Don't block Java/ActiveX/ When this box is selected, the ZyWALL will permit Java, ActiveX and Cookies/Web proxy to trusted Cookies from sites on the Trusted Web Site list to the LAN. In certain...
Page 222: Customizing Keyword Blocking Url Checking
ZyWALL 35 User’s Guide 11.6 Customizing Keyword Blocking URL Checking You can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.
Page 223: Content Filtering Registration And Reports
ZyWALL 35 User’s Guide H A P T E R Content Filtering Registration and Reports This chapter describes how to register for content filtering and view content filtering reports. Before you activate content filtering, you must create an account at myZyXEL.com and register your device.
Page 224: A Note On Myzyxel.com Numbers
ZyWALL 35 User’s Guide 12.1.1 A Note on myZyXEL.com Numbers You need the following (unique) numbers to register and activate device-specific feature(s). Table 69 myZyXEL.com Numbers TYPES DESCRIPTION Serial Number You need the serial number to register your ZyXEL device. Locate the serial number on your ZyXEL device.
Page 225: Figure 93 Myzyxel.com Account Registration
ZyWALL 35 User’s Guide Figure 93 myZyXEL.com Account Registration 4 A screen appears indicating you have created an account at myZyXEL.com. Figure 94 Account Registration Successful 5 You will receive a confirmation e-mail. Click the URL in the e-mail to activate your account.
Page 226: Registering Your Zyxel Device
ZyWALL 35 User’s Guide Figure 95 Account Confirmation E-Mail 6 Click Continue to go to the myZyXEL.com login screen. Figure 96 myZyXEL.com Account Activation 12.3 Registering Your ZyXEL Device 1 After you have created a myZyXEL.com account, log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen.
Page 227: Figure 97 Logged Into Myzyxel.com
ZyWALL 35 User’s Guide Figure 97 Logged Into myZyXEL.com Click here to register a new product. 2 Click Add in the next screen. Figure 98 Product Registration 3 The Add New Product screen displays. Enter the product serial number in the Serial Number field.
Page 228: Figure 99 Add New Product
ZyWALL 35 User’s Guide Figure 99 Add New Product Your ZyXEL device MAC address may already be entered here. 8 Specify the purchase information and click Continue. Figure 100 Product Survey 9 Click Continue again. 10After you have registered your ZyXEL device, you can view its registration details in the screen shown next.
Page 229: Content Filtering Registration
ZyWALL 35 User’s Guide Figure 101 Service Management 12.4 Content Filtering Registration 1 In your ZyXEL device’s web configurator, click CONTENT FILTER, Categories and then the Register button. The following screen opens. 2 Enter the user name and password from your myZyXEL.com account (see Figure 92).
Page 230: Figure 103 Myzyxel.com: Service Management
ZyWALL 35 User’s Guide Figure 103 myZyXEL.com: Service Management. 6 Enter the PIN code exactly as shown on your iCard (you do not enter a PIN if you are registering for the trial period) in the License Key (PIN code) field.
Page 231: Checking Content Filtering Activation
ZyWALL 35 User’s Guide Figure 105 Service Registration: Successful Figure 106 Service Management: Service Registered 9 You can go on to update your product registration information, view content filtering reports or click LOGOUT at any time to exit myZyXEL.com. 12.5 Checking Content Filtering Activation After you register for content filtering, the web site displays a registration successful web page.
Page 232: Updating Product Registration Information
ZyWALL 35 User’s Guide 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button. When content filtering is active, you should see an access blocked or access forwarded message.
Page 233: Figure 107 Cerberian Login Screen
ZyWALL 35 User’s Guide Figure 107 Cerberian Login Screen 2 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Type the password that you configured during account registration at myZyXEL.com. 3 Click Reports. Figure 108 Content Filtering Reports Main Screen Note: The ZyWALL does not support Single User Reports at the time of writing.
Page 234: Configuration File
ZyWALL 35 User’s Guide 5 A chart and list of requested web site categories display in the lower half of the screen. Figure 109 Global Report Screen Example 6 Click a category to see the URLs that were requested. Figure 110 Requested URLs Example 12.8 Configuration File...
Page 235: Chapter 13 Introduction To Ipsec
ZyWALL 35 User’s Guide H A P T E R Introduction to IPSec This chapter introduces the basics of IPSec VPNs. This chapter is only applicable when the ZyWALL is in router mode. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines.
Page 236: Data Confidentiality
ZyWALL 35 User’s Guide Figure 111 Encryption and Decryption 13.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 13.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 237: Ipsec Algorithms
ZyWALL 35 User’s Guide Figure 112 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 238: Transport Mode
ZyWALL 35 User’s Guide Figure 113 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 239: Table 70 Vpn And Nat
ZyWALL 35 User’s Guide A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 240 ZyWALL 35 User’s Guide Chapter 13 Introduction to IPSec...
Page 241: Chapter 14 Vpn Screens
ZyWALL 35 User’s Guide H A P T E R VPN Screens This chapter introduces the VPN Web Configurator. See Chapter 23 Logs Screens information on viewing logs and see Appendix S Log Descriptions for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 242: My Ip Address
ZyWALL 35 User’s Guide Table 71 ESP and AH Encryption DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data. 3DES...
Page 243: Dynamic Secure Gateway Address
ZyWALL 35 User’s Guide You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 244: Figure 115 Vpn Rules
ZyWALL 35 User’s Guide Figure 115 VPN Rules The following table describes the labels in this screen. Table 72 VPN Rules LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
Page 245: Keep Alive
ZyWALL 35 User’s Guide Table 72 VPN Rules LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Secure Gateway This is the static WAN IP address or URL of the remote IPSec router. This field Address displays 0.0.0.0 when you configure the Secure Gateway Address field in the Edit...
Page 246: Nat Traversal Configuration
ZyWALL 35 User’s Guide Figure 116 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN.
Page 247: Id Type And Content
ZyWALL 35 User’s Guide The following figure depicts an example where three VPN tunnels are created from ZyWALL A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access computers that use private domain names on the headquarters (HQ) network, the ZyWALL at branch office 1 uses the Intranet DNS server in headquarters.
Page 248: Id Type And Content Examples
ZyWALL 35 User’s Guide between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see the Editing VPN Policies section). The ID type and content act as an extra level of identification for incoming SAs.
Page 249: Pre-Shared Key
ZyWALL 35 User’s Guide The two ZyWALLs in this example can complete negotiation and establish a VPN tunnel. Table 75 Matching ID Type and Content Configuration Example ZYWALL A ZYWALL B Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2...
Page 250: Figure 118 Edit Vpn Rule
ZyWALL 35 User’s Guide Figure 118 Edit VPN Rule Chapter 14 VPN Screens...
Page 251: Table 77 Edit Vpn Rule
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 77 Edit VPN Rule LABEL DESCRIPTION Property Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall.
Page 252 ZyWALL 35 User’s Guide Table 77 Edit VPN Rule (continued) LABEL DESCRIPTION User Name Enter a user name for your ZyWALL to be authenticated by the VPN peer (in server mode). The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
Page 253 ZyWALL 35 User’s Guide Table 77 Edit VPN Rule (continued) LABEL DESCRIPTION Ending IP Address/ When the Address Type field is configured to Single Address, this field is N/A. Subnet Mask When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 254 ZyWALL 35 User’s Guide Table 77 Edit VPN Rule (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address.
Page 255 ZyWALL 35 User’s Guide Table 77 Edit VPN Rule (continued) LABEL DESCRIPTION My Address IP Address identifies the WAN IP address of the ZyWALL. You can select IP Address and enter the ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0.
Page 256: Ike Phases
ZyWALL 35 User’s Guide Table 77 Edit VPN Rule (continued) LABEL DESCRIPTION Select AH if you want to use AH (Authentication Header Protocol). The AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.
Page 257: X-Auth And Ike
ZyWALL 35 User’s Guide • Choose which protocol to use (ESP or AH) for the IKE key exchange. • Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography –...
Page 258: Perfect Forward Secrecy (Pfs)
ZyWALL 35 User’s Guide 14.11.4 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 259: Table 78 Edit Vpn Rule: Advanced
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 78 Edit VPN Rule: Advanced LABEL DESCRIPTION Phase 1 Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 260: Manual Key Setup
ZyWALL 35 User’s Guide Table 78 Edit VPN Rule: Advanced LABEL DESCRIPTION Encapsulation Select Tunnel mode or Transport mode from the drop-down list box. Perfect Forward Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec Secrecy (PFS) SA setup.
Page 261: Configuring Manual Key
ZyWALL 35 User’s Guide 14.14 Configuring Manual Key You only configure VPN Manual Key when you select Manual Key in the Key Management field on the Edit VPN Rule screen. This is the VPN Manual Key screen as shown next.
Page 262 ZyWALL 35 User’s Guide Table 79 VPN Manual Setup LABEL DESCRIPTION Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Key Management Select IKE or Manual Key from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management.
Page 263 ZyWALL 35 User’s Guide Table 79 VPN Manual Setup LABEL DESCRIPTION My Address IP Address identifies the WAN IP address of the ZyWALL. You can select IP Address and enter the ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0.
Page 264: Viewing Sa Monitor
ZyWALL 35 User’s Guide Table 79 VPN Manual Setup LABEL DESCRIPTION Encryption Key With DES, type a unique key 8 characters long. With 3DES, type a unique key 24 (Only with ESP) characters long. Any characters may be used, including spaces, but trailing spaces are truncated.
Page 265: Configuring Global Setting
ZyWALL 35 User’s Guide Table 80 SA Monitor LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Refresh Click Refresh to display the current active VPN connection(s).
Page 266: Telecommuter Vpn/Ipsec Examples
ZyWALL 35 User’s Guide 14.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address.
Page 267: Figure 125 Telecommuters Using Unique Vpn Rules Example
ZyWALL 35 User’s Guide With aggressive negotiation mode (see the Negotiation Mode section), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters.
Page 268: Vpn And Remote Management
ZyWALL 35 User’s Guide Table 83 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Secure Gateway Address: telecommuterb.com Remote Address 192.168.3.2 Telecommuter C (telecommuterc.dydns.org)
Page 269: Chapter 15 Certificates
ZyWALL 35 User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 270: Advantages Of Certificates
ZyWALL 35 User’s Guide 15.1.1 Advantages of Certificates Certificates offer the following benefits. • The ZyWALL only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
Page 271: Figure 127 My Certificates
ZyWALL 35 User’s Guide Figure 127 My Certificates The following table describes the labels in this screen. Table 84 My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 272: Certificate File Formats
ZyWALL 35 User’s Guide Table 84 My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
Page 273: Importing A Certificate
ZyWALL 35 User’s Guide • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
Page 274: Creating A Certificate
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 85 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 275: Table 86 My Certificate Create
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 86 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Page 276: My Certificate Details
ZyWALL 35 User’s Guide Table 86 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.
Page 277: Figure 130 My Certificate Details
ZyWALL 35 User’s Guide Figure 130 My Certificate Details Chapter 15 Certificates...
Page 278: Table 87 My Certificate Details
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 87 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 279: Trusted Cas
ZyWALL 35 User’s Guide Table 87 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 280: Figure 131 Trusted Cas
ZyWALL 35 User’s Guide Figure 131 Trusted CAs The following table describes the labels in this screen. Table 88 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 281: Importing A Trusted Ca's Certificate
ZyWALL 35 User’s Guide Table 88 Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority.
Page 282: Trusted Ca Certificate Details
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 89 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 283: Figure 133 Trusted Ca Details
ZyWALL 35 User’s Guide Figure 133 Trusted CA Details The following table describes the labels in this screen. Table 90 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 284 ZyWALL 35 User’s Guide Table 90 Trusted CA Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 285: Trusted Remote Hosts
ZyWALL 35 User’s Guide Table 90 Trusted CA Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 286: Figure 134 Trusted Remote Hosts
ZyWALL 35 User’s Guide Figure 134 Trusted Remote Hosts The following table describes the labels in this screen. Table 91 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 287: Verifying A Trusted Remote Host's Certificate
ZyWALL 35 User’s Guide Table 91 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
Page 288: Importing A Trusted Remote Host's Certificate
ZyWALL 35 User’s Guide Figure 136 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 15.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
Page 289: Trusted Remote Host Certificate Details
ZyWALL 35 User’s Guide Figure 137 Trusted Remote Host Import The following table describes the labels in this screen. Table 92 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 290: Figure 138 Trusted Remote Host Details
ZyWALL 35 User’s Guide Figure 138 Trusted Remote Host Details The following table describes the labels in this screen. Table 93 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 291 ZyWALL 35 User’s Guide Table 93 Trusted Remote Host Details (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed.
Page 292: Directory Servers
ZyWALL 35 User’s Guide Table 93 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 293: Add Or Edit A Directory Server
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 94 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. When you are using 80% or less of the storage space, the bar is green.
Page 294: Table 95 Directory Server Add
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 95 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Page 295: Network Address Translation (Nat)
ZyWALL 35 User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 16.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 296: What Nat Does
ZyWALL 35 User’s Guide Note: NAT never changes the IP address (either local or global) of an outside host. 16.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 297: Nat Application
ZyWALL 35 User’s Guide Figure 141 How NAT Works 16.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 298: Table 97 Nat Mapping Types
ZyWALL 35 User’s Guide • One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option).
Page 299: Using Nat
ZyWALL 35 User’s Guide 16.2 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 16.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 300: Figure 143 Nat Overview
ZyWALL 35 User’s Guide Figure 143 NAT Overview The following table describes the labels in this screen. Table 98 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL Sessions will permit at one time.
Page 301: Configuring Address Mapping
ZyWALL 35 User’s Guide Table 98 NAT Overview (continued) LABEL DESCRIPTION Address Select SUA to have the ZyWALL use its permanent, pre-defined NAT address Mapping Rules mapping rules. Select Full Feature to have the ZyWALL use the address mapping rules that you configure.
Page 302: Figure 144 Address Mapping
ZyWALL 35 User’s Guide Figure 144 Address Mapping The following table describes the labels in this screen. Table 99 Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
Page 303: Address Mapping Edit
ZyWALL 35 User’s Guide Table 99 Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Page 304: Port Forwarding
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 100 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address.
Page 305: Default Server Ip Address
ZyWALL 35 User’s Guide 16.5.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 306: Nat And Multiple Wan
ZyWALL 35 User’s Guide Figure 146 Multiple Servers Behind NAT Example 16.5.4 NAT and Multiple WAN The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule sets for the first WAN port and separate sets of rules for the second WAN port.
Page 307: Configuring Port Forwarding
ZyWALL 35 User’s Guide Figure 147 Port Translation Example 16.6 Configuring Port Forwarding Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 308: Figure 148 Port Forwarding
ZyWALL 35 User’s Guide Figure 148 Port Forwarding The following table describes the labels in this screen. Table 102 Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
Page 309: Configuring Trigger Port
ZyWALL 35 User’s Guide Table 102 Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 310: Figure 150 Port Triggering
ZyWALL 35 User’s Guide 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 311 ZyWALL 35 User’s Guide Table 103 Port Triggering LABEL DESCRIPTION Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Page 312 ZyWALL 35 User’s Guide Chapter 16 Network Address Translation (NAT)
Page 313: Chapter 17 Static Route
ZyWALL 35 User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 17.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 314: Configuring Ip Static Route
ZyWALL 35 User’s Guide 17.2 Configuring IP Static Route Click STATIC ROUTE to open the IP Static Route screen (some of the screen’s blank rows are not shown). Note: The first two static route entries are for default WAN1 and WAN2 routes and cannot be modified or deleted.
Page 315: Configuring A Static Route Entry
ZyWALL 35 User’s Guide Table 104 IP Static Route LABEL DESCRIPTION Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port.
Page 316 ZyWALL 35 User’s Guide Table 105 Edit IP Static Route LABEL DESCRIPTION Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Page 317: Chapter 18 Policy Route
ZyWALL 35 User’s Guide H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. 18.1 Introduction to IP Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 318: Ip Routing Policy Setup
ZyWALL 35 User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 18.4 IP Routing Policy Setup Click POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown).
Page 319: Configuring The Ip Policy Route Entry
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 106 Policy Route Setup LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive.
Page 320: Figure 155 Edit Ip Policy Route
ZyWALL 35 User’s Guide Figure 155 Edit IP Policy Route The following table describes the labels in this screen. Table 107 Edit IP Policy Route LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 321 ZyWALL 35 User’s Guide Table 107 Edit IP Policy Route (continued) LABEL DESCRIPTION Packet Length Type a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal.
Page 322 ZyWALL 35 User’s Guide Chapter 18 Policy Route...
Page 323: Chapter 19 Bandwidth Management
ZyWALL 35 User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management. 19.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Page 324: Proportional Bandwidth Allocation
ZyWALL 35 User’s Guide The total of the configured bandwidth budgets for sub-classes cannot exceed the configured bandwidth budget speed of the parent class. 19.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth.
Page 325: Application And Subnet-Based Bandwidth Management Example
ZyWALL 35 User’s Guide Figure 157 Subnet-based Bandwidth Management Example 19.4.3 Application and Subnet-based Bandwidth Management Example The following example uses bandwidth classes based on LAN subnets and applications (specific applications in each subnet are allotted bandwidth). Table 108 Application and Subnet-based Bandwidth Management Example...
Page 326: Priority-Based Scheduler
ZyWALL 35 User’s Guide 19.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority. Assign real-time applications (like those using audio or video) a higher priority number to provide smoother operation.
Page 327: Maximize Bandwidth Usage Example
ZyWALL 35 User’s Guide 19.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface. The first figure shows each bandwidth class’s bandwidth budget and priority. The classes are set up based on subnets. The interface is set to 10 Mbps. Each subnet is allocated 2 Mbps. The unbudgeted 2 Mbps allows traffic not defined in one of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Page 328: Bandwidth Borrowing
ZyWALL 35 User’s Guide Figure 160 Maximize Bandwidth Usage Example 19.7 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.
Page 329: Maximize Bandwidth Usage With Bandwidth Borrowing
ZyWALL 35 User’s Guide Figure 161 Bandwidth Borrowing Example • The Sales USA class can borrow unused bandwidth from the Sales class because the Sales USA class has bandwidth borrowing enabled. • The Sales USA class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled.
Page 330: Configuring Summary
ZyWALL 35 User’s Guide 3 The ZyWALL assigns any remaining unused or unbudgeted bandwidth on the interface to any bandwidth class that requires it. The ZyWALL gives priority to bandwidth classes of higher priority and treats bandwidth classes of the same level equally.
Page 331: Configuring Class Setup
ZyWALL 35 User’s Guide Table 109 Bandwidth Manager: Summary (continued) LABEL DESCRIPTION Scheduler Select either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow. Select Priority-Based to give preference to bandwidth classes with higher priorities. Select Fairness-Based to treat all bandwidth classes equally.
Page 332: Bandwidth Manager Class Configuration
ZyWALL 35 User’s Guide Figure 163 Bandwidth Manager: Class Setup The following table describes the labels in this screen. Table 110 Bandwidth Manager: Class Setup LABEL DESCRIPTION Interface Select an interface from the drop-down list box for which you wish to set up classes.
Page 333: Figure 164 Bandwidth Manager: Edit Class
ZyWALL 35 User’s Guide Figure 164 Bandwidth Manager: Edit Class The following table describes the labels in this screen. Table 111 Bandwidth Manager: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 334 ZyWALL 35 User’s Guide Table 111 Bandwidth Manager: Edit Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 335: Bandwidth Management Statistics
ZyWALL 35 User’s Guide Table 112 Services and Port Numbers SERVICES PORT NUMBER ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol)
Page 336: Configuring Monitor
ZyWALL 35 User’s Guide Table 113 Bandwidth Management Statistics (continued) LABEL DESCRIPTION Dropped This field displays the total number of packets dropped. Packets Dropped Bytes This field displays the total number of bytes dropped. Bandwidth Statistics for the Past 8 Seconds (t-8 to t-1) This field displays the bandwidth statistics (in bps) for the past one to eight seconds.
Page 337 ZyWALL 35 User’s Guide Table 114 Bandwidth Manager Monitor LABEL DESCRIPTION Budget (kbps) This field displays the amount of bandwidth allocated to the class. Current Usage (kbps) This field displays the amount of bandwidth that each class is using. Refresh Click Refresh to update the page.
Page 338 ZyWALL 35 User’s Guide Chapter 19 Bandwidth Management...
Page 339: Chapter 20 Dns
ZyWALL 35 User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 20.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 340: Address Record
ZyWALL 35 User’s Guide 20.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel”...
Page 341: The System Screen
ZyWALL 35 User’s Guide Figure 167 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
Page 342: Figure 168 System
ZyWALL 35 User’s Guide Figure 168 System The following table describes the labels in this screen. Table 115 System LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
Page 343: Adding An Address Record
ZyWALL 35 User’s Guide Table 115 System LABEL DESCRIPTION This is the index number of the name server record. Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 344: Inserting A Name Server Record
ZyWALL 35 User’s Guide Table 116 System: Add LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 20.6.2 Inserting a Name Server record Click Insert in the System screen to insert a name server record.
Page 345: Dns Cache
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 117 System: Insert LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 346: Configure Dns Cache
ZyWALL 35 User’s Guide 20.8 Configure DNS Cache To configure your ZyWALL’s DNS caching, click DNS, then the Cache tab. The screen appears as shown. Figure 171 Cache The following table describes the labels in this screen. Table 118 Cache...
Page 347: Configuring Lan Dns
ZyWALL 35 User’s Guide Table 118 Cache LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. DNS Cache Entry Flush Click this button to clear the cache manually. After you flush the cache, the ZyWALL must query the DNS servers again for any domain names that had been previously resolved.
Page 348: Dynamic Dns
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 119 LAN LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address (in the Assigned by DHCP order you specify here) to the DHCP clients. The ZyWALL only passes this...
Page 349: Dyndns Wildcard
ZyWALL 35 User’s Guide 20.10.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
Page 350: Table 120 Ddns
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 120 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider.
Page 351 ZyWALL 35 User’s Guide Table 120 DDNS LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Chapter 20 DNS...
Page 352 ZyWALL 35 User’s Guide Chapter 20 DNS...
Page 353: Chapter 21 Remote Management
ZyWALL 35 User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 21.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.
Page 354: Remote Management Limitations
ZyWALL 35 User’s Guide 21.1.1 Remote Management Limitations 1 Remote management over LAN or WAN will not work when: 2 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 355: Configuring Www
ZyWALL 35 User’s Guide requires it to do so (select Authenticate Client Certificates in the REMOTE MGMT, WWW screen). Authenticate Client Certificates is optional and if selected means the SSL- client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL.
Page 356: Figure 175 Www
ZyWALL 35 User’s Guide Figure 175 WWW The following table describes the labels in this screen. Table 121 WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 357: Https Example
ZyWALL 35 User’s Guide Table 121 WWW (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 358: Netscape Navigator Warning Messages
ZyWALL 35 User’s Guide 21.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 359: Avoiding The Browser Warning Messages
ZyWALL 35 User’s Guide 21.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 360: Figure 179 Login Screen (Internet Explorer)
ZyWALL 35 User’s Guide Figure 179 Login Screen (Internet Explorer) Figure 180 Login Screen (Netscape) Click Login and you then see the next screen. Chapter 21 Remote Management...
Page 361: Figure 181 Replace Certificate
ZyWALL 35 User’s Guide The factory default certificate is a common default certificate for all ZyWALL models. Figure 181 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen.
Page 362: Ssh Overview
ZyWALL 35 User’s Guide Figure 183 Common ZyWALL Certificate 21.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 363: Ssh Implementation On The Zywall
ZyWALL 35 User’s Guide Figure 185 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 364: Requirements For Using Ssh
ZyWALL 35 User’s Guide 21.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 21.8 Configuring SSH To change your ZyWALL’s Secure Shell settings, click REMOTE MGMT, then the SSH tab.
Page 365: Secure Telnet Using Ssh Examples
ZyWALL 35 User’s Guide Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. 21.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL.
Page 366: Secure Ftp Using Ssh Example
ZyWALL 35 User’s Guide Figure 188 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 367: Telnet
ZyWALL 35 User’s Guide Figure 190 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known...
Page 368: Configuring Ftp
ZyWALL 35 User’s Guide Figure 192 Telnet The following table describes the labels in this screen. Table 123 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 369: Configuring Snmp
ZyWALL 35 User’s Guide Figure 193 FTP The following table describes the labels in this screen. Table 124 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 370: Figure 194 Snmp Management Model
ZyWALL 35 User’s Guide Figure 194 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 371: Supported Mibs
ZyWALL 35 User’s Guide 21.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 21.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events...
Page 372: Figure 195 Snmp
ZyWALL 35 User’s Guide Figure 195 SNMP The following table describes the labels in this screen. Table 126 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Page 373: Configuring Dns
ZyWALL 35 User’s Guide 21.15 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 WAN Screens for more information. To change your ZyWALL’s DNS settings, click REMOTE MGMT, then the DNS tab. The screen appears as shown.
Page 374: Configuring Cnm
ZyWALL 35 User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Page 375 ZyWALL 35 User’s Guide Table 128 CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
Page 376 ZyWALL 35 User’s Guide Chapter 21 Remote Management...
Page 377: Chapter 22 Upnp
ZyWALL 35 User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 22.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 378: Upnp And Zyxel
ZyWALL 35 User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 22.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 379: Displaying Upnp Port Mapping
ZyWALL 35 User’s Guide Table 129 Configuring UPnP LABEL DESCRIPTION Enable the Universal Select this checkbox to activate UPnP. Be aware that anyone could use a Plug and Play (UPnP) UPnP application to open the web configurator's login screen without...
Page 380: Installing Upnp In Windows Example
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 130 UPnP Ports LABEL DESCRIPTION Reserve UPnP Select this checkbox to have the ZyWALL retain UPnP created NAT rules even NAT rules in flash after restarting. If you use UPnP and you set a port on your computer to be fixed for...
Page 381: Installing Upnp In Windows Me
ZyWALL 35 User’s Guide 22.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 382: Installing Upnp In Windows Xp
ZyWALL 35 User’s Guide 22.5.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 383: Auto-Discover Your Upnp-Enabled Network Device
ZyWALL 35 User’s Guide 22.6.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 384: Web Configurator Easy Access
ZyWALL 35 User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 385 ZyWALL 35 User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 386 ZyWALL 35 User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 22 UPnP...
Page 387: Chapter 23 Logs Screens
ZyWALL 35 User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix S Log Descriptions for example log message explanations. 23.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 388: Log Description Example
ZyWALL 35 User’s Guide Figure 200 View Log The following table describes the labels in this screen. Table 131 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see the Configuring Log Settings section) display in the drop-down list box.
Page 389: Configuring Log Settings
ZyWALL 35 User’s Guide The following is an example of how a log displays in the command line interpreter and a description of the sample log. Refer to the appendices for more log message descriptions and details on using the command line interpreter to display logs.
Page 390: Figure 201 Log Settings
ZyWALL 35 User’s Guide Figure 201 Log Settings Chapter 23 Logs Screens...
Page 391: Table 133 Log Settings
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 133 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 392: Configuring Reports
ZyWALL 35 User’s Guide Table 133 Log Settings (continued) LABEL DESCRIPTION Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
Page 393: Figure 202 Reports
ZyWALL 35 User’s Guide Figure 202 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 134 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Page 394: Viewing Web Site Hits
ZyWALL 35 User’s Guide 23.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 395: Viewing Lan Ip Address
ZyWALL 35 User’s Guide Figure 204 Protocol/Port Report Example The following table describes the labels in this screen. Table 136 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 396: Reports Specifications
ZyWALL 35 User’s Guide Figure 205 LAN IP Address Report Example The following table describes the labels in this screen. Table 137 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
Page 397: Chapter 24 Maintenance
ZyWALL 35 User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 24.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 398: Configuring Password
ZyWALL 35 User’s Guide Figure 206 General Setup The following table describes the labels in this screen. Table 139 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long.
Page 399: Pre-Defined Ntp Time Servers List
ZyWALL 35 User’s Guide Figure 207 Password Setup The following table describes the labels in this screen. Table 140 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 400: Configuring Time And Date
ZyWALL 35 User’s Guide Table 141 Default Time Servers ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 24.5 Configuring Time and Date To change your ZyWALL’s time and date, click MAINTENANCE, then the Time and Date tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone.
Page 401: Table 142 Time And Date
ZyWALL 35 User’s Guide The following table describes the labels in this screen. Table 142 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyWALL. Each time you reload this page, the ZyWALL synchronizes the time with the time server.
Page 402: Time Server Synchronization
ZyWALL 35 User’s Guide Table 142 Time and Date (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a...
Page 403: Configuring Device Mode
ZyWALL 35 User’s Guide Figure 210 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 211 Synchronization Fail 24.6 Configuring Device Mode To configure and have your ZyWALL work as a router or a bridge, click MAINTENANCE, then the Device Mode tab.
Page 404: Figure 212 Device Mode (Router Mode)
ZyWALL 35 User’s Guide Figure 212 Device Mode (Router Mode) The following table describes the labels in this screen. Table 143 Device Mode (Router Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Page 405: Figure 213 Device Mode (Bridge Mode)
ZyWALL 35 User’s Guide Figure 213 Device Mode (Bridge Mode) The following table describes the labels in this screen. Table 144 Device Mode (Bridge Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Page 406: F/W Upload Screen
ZyWALL 35 User’s Guide Table 144 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again.
Page 407: Figure 215 Firmware Upload In Process
ZyWALL 35 User’s Guide After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 215 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 408: Configuration Screen
ZyWALL 35 User’s Guide 24.8 Configuration Screen the Uploading Firmware and Configuration Files section for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.
Page 409: Restore Configuration
ZyWALL 35 User’s Guide 24.8.2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL. Table 146 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.
Page 410: Back To Factory Defaults
ZyWALL 35 User’s Guide If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 221 Configuration Upload Error 24.8.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen.
Page 411: Figure 223 Restart Screen
ZyWALL 35 User’s Guide Figure 223 Restart Screen Chapter 24 Maintenance...
Page 412 ZyWALL 35 User’s Guide Chapter 24 Maintenance...
Page 413: Chapter 25 Introducing The Smt
ZyWALL 35 User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 25.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 414: Entering The Password
ZyWALL 35 User’s Guide Figure 224 Initial Screen Copyright (c) 1994 - 2004 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
Page 415: Main Menu
ZyWALL 35 User’s Guide Table 147 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move to a Press [SPACE Fields beginning with “Edit” lead to hidden menus and have a “hidden” BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes,...
Page 416: Figure 226 Main Menu (Router Mode)
ZyWALL 35 User’s Guide Figure 226 Main Menu (Router Mode) Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ZyWALL 35 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
Page 417: Smt Menus At A Glance
ZyWALL 35 User’s Guide Table 148 Main Menu Summary NO. MENU TITLE FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings and configure the wireless LAN port. Internet Access Setup Configure your Internet Access setup (Internet address, gateway, login, etc.) with this menu.
Page 418: Changing The System Password
ZyWALL 35 User’s Guide Figure 228 ZyWALL SMT Menu Overview Example 25.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next.
Page 419: Resetting The Zywall
ZyWALL 35 User’s Guide Figure 229 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER].
Page 420 ZyWALL 35 User’s Guide Chapter 25 Introducing the SMT...
Page 421: Smt Menu 1 - General Setup
ZyWALL 35 User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 26.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information.
Page 422: Figure 231 Menu 1: General Setup (Bridge Mode)
ZyWALL 35 User’s Guide Table 149 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
Page 423: Configuring Dynamic Dns
ZyWALL 35 User’s Guide 26.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
Page 424: Figure 233 Menu 1.1.1: Ddns Host Summary
ZyWALL 35 User’s Guide 4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press [ENTER] to display Menu 1.1.1 - DDNS Host Summary. Figure 233 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary...
Page 425: Figure 234 Menu 1.1.1: Ddns Edit Host
ZyWALL 35 User’s Guide Figure 234 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy:...
Page 426 ZyWALL 35 User’s Guide Table 153 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the DDNS Server Auto Detect IP Address field Update Policy: (recommended) or the Use Specified IP Address field, but not both.
Page 427: Wan And Dial Backup Setup
ZyWALL 35 User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 27.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
Page 428: Dial Backup
ZyWALL 35 User’s Guide The following table describes the fields in this screen. Table 154 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1/2 MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 429: Figure 236 Menu 2: Dial Backup Setup
ZyWALL 35 User’s Guide Figure 236 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No...
Page 430: Advanced Wan Setup
ZyWALL 35 User’s Guide 27.5 Advanced WAN Setup Note: Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 431: Remote Node Profile (Backup Isp)
ZyWALL 35 User’s Guide Table 157 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 432: Table 158 Menu 11.3: Remote Node Profile (Backup Isp)
ZyWALL 35 User’s Guide The following table describes the fields in this menu. Table 158 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight characters.
Page 433: Editing Ppp Options
ZyWALL 35 User’s Guide Table 158 Menu 11.3: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit Filter sets This field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.3.4 to edit the filter sets. See...
Page 434: Figure 240 Menu 11.3.2: Remote Node Network Layer Options
ZyWALL 35 User’s Guide Figure 240 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only...
Page 435: Editing Login Script
ZyWALL 35 User’s Guide Table 160 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1.
Page 436 ZyWALL 35 User’s Guide You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a ‘Send’...
Page 437: Remote Node Filter
ZyWALL 35 User’s Guide Figure 241 Menu 11.3.3: Remote Node Script Menu 11.3.3 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4:...
Page 438: Figure 242 Menu 11.3.4: Remote Node Filter
ZyWALL 35 User’s Guide Figure 242 Menu 11.3.4: Remote Node Filter Menu 11.3.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL:...
Page 439: Chapter 28 Lan Setup
ZyWALL 35 User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 28.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Page 440: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 35 User’s Guide Figure 244 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 28.4 TCP/IP and DHCP Ethernet Setup Menu...
Page 441: Figure 246 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL 35 User’s Guide Figure 246 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0...
Page 442: Ip Alias Setup
ZyWALL 35 User’s Guide Table 163 Menu 3.2: LAN TCP/IP Setup Fields (continued) FIELD DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Page 443: Figure 247 Menu 3.2.1: Ip Alias Setup
ZyWALL 35 User’s Guide Figure 247 Menu 3.2.1: IP Alias Setup Menu 3.2.1 - IP Alias Setup IP Alias 1= Yes IP Address= 192.168.2.1 IP Subnet Mask= 255.255.255.0 RIP Direction= None Version= RIP-1 Incoming protocol filters= Outgoing protocol filters= IP Alias 2= No...
Page 444: Wireless Lan Setup
ZyWALL 35 User’s Guide 28.5 Wireless LAN Setup Use menu 3.5 to set up your ZyWALL as the wireless access point. Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 445: Mac Address Filter Setup
ZyWALL 35 User’s Guide Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 165 Menu 3.5: Wireless LAN Setup FIELD DESCRIPTION Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off Wireless LAN by default.
Page 446: Figure 249 Menu 3.5.1: Wlan Mac Address Filter
ZyWALL 35 User’s Guide Follow the steps below to create the MAC address table on your ZyWALL. 1 From the main menu, enter 3 to open Menu 3 - LAN Setup. 2 Enter 5 to display Menu 3.5 - Wireless LAN Setup.
Page 447: Chapter 29 Internet Access
ZyWALL 35 User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 29.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 448: Table 167 Menu 4: Internet Access Setup (Ethernet)
ZyWALL 35 User’s Guide The following table describes the fields in this menu. Table 167 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. You can only configure the WAN 2 port in Menu 11.2 - Remote Node Profile or in the WAN WAN 2 screen via the web configurator.
Page 449: Configuring The Pptp Client
ZyWALL 35 User’s Guide 29.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 450: Basic Setup Complete
ZyWALL 35 User’s Guide Figure 252 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic...
Page 451: Dmz Setup
ZyWALL 35 User’s Guide H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 30.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup.
Page 452: Ip Address
ZyWALL 35 User’s Guide 30.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 255 Menu 5: TCP/IP Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2.
Page 453: Figure 257 Menu 5.2.1: Ip Alias Setup
ZyWALL 35 User’s Guide Figure 257 Menu 5.2.1: IP Alias Setup Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A...
Page 454 ZyWALL 35 User’s Guide Chapter 30 DMZ Setup...
Page 455: Chapter 31 Route Setup
ZyWALL 35 User’s Guide H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 31.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 258 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 456: Traffic Redirect
ZyWALL 35 User’s Guide The following table describes the fields in this menu. Table 170 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility.
Page 457: Route Failover
ZyWALL 35 User’s Guide Table 171 Menu 6.2: Traffic Redirect FIELD DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's...
Page 458 ZyWALL 35 User’s Guide Chapter 31 Route Setup...
Page 459: Chapter 32 Remote Node Setup
ZyWALL 35 User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 32.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 460: Ethernet Encapsulation
ZyWALL 35 User’s Guide 32.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next.
Page 461: Pppoe Encapsulation
ZyWALL 35 User’s Guide Table 173 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Retype to Type your password again to make sure that you have entered it correctly. Confirm Server This field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank.
Page 462: Outgoing Authentication Protocol
ZyWALL 35 User’s Guide Figure 264 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name=...
Page 463: Pptp Encapsulation
ZyWALL 35 User’s Guide Table 174 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
Page 464: Edit Ip
ZyWALL 35 User’s Guide Figure 265 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0...
Page 465: Figure 266 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
ZyWALL 35 User’s Guide Figure 266 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A...
Page 466: Remote Node Filter
ZyWALL 35 User’s Guide Table 176 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local...
Page 467: Figure 267 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
ZyWALL 35 User’s Guide Use menu 11.1.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Page 468 ZyWALL 35 User’s Guide Chapter 32 Remote Node Setup...
Page 469: Chapter 33 Ip Static Route Setup
ZyWALL 35 User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 33.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 470: Figure 270 Menu 12. 1: Edit Ip Static Route
ZyWALL 35 User’s Guide Figure 270 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 2 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ?
Page 471: Network Address Translation (Nat)
ZyWALL 35 User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 34.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 472: Figure 271 Menu 4: Applying Nat For Internet Access
ZyWALL 35 User’s Guide Figure 271 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A...
Page 473: Nat Setup
ZyWALL 35 User’s Guide The following table describes the fields in this menu. Table 178 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
Page 474: Address Mapping Sets
ZyWALL 35 User’s Guide 34.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 274 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: 34.2.1.1 SUA Address Mapping Set...
Page 475: User-Defined Address Mapping Sets
ZyWALL 35 User’s Guide Note: Menu 15.1.255 is read-only. Table 179 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 476: Ordering Your Rules
ZyWALL 35 User’s Guide Figure 276 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- ------------- --------------- ------------- ---- Action= None Select Rule= N/A...
Page 477: Figure 277 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 35 User’s Guide Note: You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken.
Page 478: Configuring A Server Behind Nat
ZyWALL 35 User’s Guide Table 181 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Enter the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types. Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…”...
Page 479: Figure 279 15.2.1.2: Nat Server Configuration
ZyWALL 35 User’s Guide Figure 279 15.2.1.2: NAT Server Configuration 15.2.1.1 - NAT Server Configuration Wan= 1 Index= 1 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 480: Figure 280 Menu 15.2: Nat Server Setup
ZyWALL 35 User’s Guide Note: The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard. Figure 280 Menu 15.2: NAT Server Setup Menu 15.2.1 - NAT Server Setup...
Page 481: General Nat Examples
ZyWALL 35 User’s Guide 34.4 General NAT Examples The following are some examples of NAT configuration. 34.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 482: Example 2: Internet Access With An Default Server
ZyWALL 35 User’s Guide 34.4.2 Example 2: Internet Access with an Default Server Figure 284 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
Page 483: Figure 286 Nat Example 3
ZyWALL 35 User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 484: Figure 287 Example 3: Menu 11.1.2
ZyWALL 35 User’s Guide Figure 287 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2...
Page 485: Figure 289 Example 3: Final Menu 15.1.1
ZyWALL 35 User’s Guide Figure 289 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- -------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11...
Page 486: Example 4: Nat Unfriendly Application Programs
ZyWALL 35 User’s Guide Figure 290 Example 3: Menu 15.2.1 Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None...
Page 487: Figure 292 Example 4: Menu 15.1.1.1: Address Mapping Rule
ZyWALL 35 User’s Guide Figure 292 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as...
Page 488: Trigger Port Forwarding
ZyWALL 35 User’s Guide 34.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 489: Figure 294 Menu 15.3.1: Trigger Port Setup
ZyWALL 35 User’s Guide Figure 294 Menu 15.3.1: Trigger Port Setup Menu 15.3.1 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------- Real Audio 6970 7170 7070 7070 Press ENTER to Confirm or ESC to Cancel:...
Page 490 ZyWALL 35 User’s Guide Chapter 34 Network Address Translation (NAT)
Page 491: Introducing The Zywall Firewall
ZyWALL 35 User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 35.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 492: Figure 296 Menu 21.2: Firewall Setup
ZyWALL 35 User’s Guide Figure 296 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.
Page 493: Filter Configuration
ZyWALL 35 User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 36.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
Page 494: The Filter Structure Of The Zywall
ZyWALL 35 User’s Guide 36.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 495: Figure 298 Filter Rule Process
ZyWALL 35 User’s Guide Figure 298 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 496: Configuring A Filter Set
ZyWALL 35 User’s Guide 36.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21.
Page 497: Configuring A Filter Rule
ZyWALL 35 User’s Guide Table 184 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP.
Page 498: Configuring A Tcp/Ip Filter Rule
ZyWALL 35 User’s Guide To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Page 499 ZyWALL 35 User’s Guide Table 186 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Destination IP Addr Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr.
Page 500: Configuring A Generic Filter Rule
ZyWALL 35 User’s Guide Figure 302 Executing an IP Filter 36.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 36 Filter Configuration...
Page 501: Figure 303 Menu 21.1.1.1: Generic Filter Rule
ZyWALL 35 User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 502: Example Filter
ZyWALL 35 User’s Guide Table 187 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields.
Page 503: Figure 305 Example Filter: Menu 21.1.3.1
ZyWALL 35 User’s Guide Figure 305 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0...
Page 504: Filter Types And Nat
ZyWALL 35 User’s Guide M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example).
Page 505: Applying A Filter
ZyWALL 35 User’s Guide 36.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 506: Applying Remote Node Filters
ZyWALL 35 User’s Guide Figure 309 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 36.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below –...
Page 507: Chapter 37 Snmp Configuration
ZyWALL 35 User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 37.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 508: Snmp Traps
ZyWALL 35 User’s Guide Table 188 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 509: System Information & Diagnosis
ZyWALL 35 User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 38.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 510: Figure 313 Menu 24.1: System Maintenance: Status
ZyWALL 35 User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 313 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status...
Page 511: System Information And Console Port Speed
ZyWALL 35 User’s Guide Table 190 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left.
Page 512: Console Port Speed
ZyWALL 35 User’s Guide Figure 315 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V3.63(WZ.0)b1 | 09/23/2004 Country Code: 255 Ethernet Address: 00:A0:C5:70:F7:EB IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Page 513: Log And Trace
ZyWALL 35 User’s Guide Figure 316 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle.
Page 514: Unix Syslog
ZyWALL 35 User’s Guide Figure 318 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN...
Page 515 ZyWALL 35 User’s Guide Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next: 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str...
Page 516 ZyWALL 35 User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 517: Call-Triggering Packet
ZyWALL 35 User’s Guide 38.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 320 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
Page 518: Wan Dhcp
ZyWALL 35 User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 321 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic...
Page 519: Table 193 System Maintenance Menu Diagnostic
ZyWALL 35 User’s Guide Table 193 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below.
Page 520 ZyWALL 35 User’s Guide Chapter 38 System Information & Diagnosis...
Page 521: Firmware And Configuration File Maintenance
ZyWALL 35 User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 39.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its...
Page 522: Backup Configuration
ZyWALL 35 User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 523: Using The Ftp Command From The Command Line
ZyWALL 35 User’s Guide Figure 323 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
Page 524: Example Of Ftp Commands From The Command Line
ZyWALL 35 User’s Guide 39.3.3 Example of FTP Commands from the Command Line Figure 324 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay...
Page 525: Backup Configuration Using Tftp
ZyWALL 35 User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running.
Page 526: Gui-Based Tftp Clients
ZyWALL 35 User’s Guide 39.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 196 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
Page 527: Restore Configuration
ZyWALL 35 User’s Guide Figure 327 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Page 528: Restore Using Ftp
ZyWALL 35 User’s Guide 39.4.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter. Figure 329 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration...
Page 529: Restore Using Ftp Session Example
ZyWALL 35 User’s Guide 39.4.2 Restore Using FTP Session Example Figure 330 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 530: Uploading Firmware And Configuration Files
ZyWALL 35 User’s Guide Figure 333 Restore Configuration Example Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 531: Configuration File Upload
ZyWALL 35 User’s Guide Figure 335 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Page 532: Ftp Session Example Of Firmware File Upload
ZyWALL 35 User’s Guide 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary.
Page 533: Tftp Upload Command Example
ZyWALL 35 User’s Guide 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete.
Page 534: Example Xmodem Firmware Upload Using Hyperterminal
ZyWALL 35 User’s Guide Figure 338 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message.
Page 535: Example Xmodem Configuration Upload Using Hyperterminal
ZyWALL 35 User’s Guide Figure 340 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode.
Page 536 ZyWALL 35 User’s Guide Chapter 39 Firmware and Configuration File Maintenance...
Page 537: System Maintenance Menus 8 To 10
ZyWALL 35 User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 40.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 538: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 343 Valid Commands Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 539: Call Control Support
ZyWALL 35 User’s Guide 40.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Page 540: Call History
ZyWALL 35 User’s Guide Figure 345 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 541: Time And Date Setting
ZyWALL 35 User’s Guide Figure 346 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 199 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
Page 542: Figure 347 Menu 24: System Maintenance
ZyWALL 35 User’s Guide Figure 347 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
Page 543: Table 200 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 35 User’s Guide Table 200 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 544: Resetting The Time
ZyWALL 35 User’s Guide Table 200 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
Page 545: Chapter 41 Remote Management
ZyWALL 35 User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 41.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.
Page 546: Figure 349 Menu 24.11 - Remote Management Control
ZyWALL 35 User’s Guide Figure 349 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0...
Page 547: Remote Management Limitations
ZyWALL 35 User’s Guide 41.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 548 ZyWALL 35 User’s Guide Chapter 41 Remote Management...
Page 549: Chapter 42 Ip Policy Routing
ZyWALL 35 User’s Guide H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. 42.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 550: Ip Routing Policy Setup
ZyWALL 35 User’s Guide Table 202 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to...
Page 551: Figure 351 Menu 25.1: Ip Routing Policy Setup
ZyWALL 35 User’s Guide 1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary. 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure).
Page 552: Applying Policy To Packets
ZyWALL 35 User’s Guide Table 204 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination addr start / end Destination IP address range from start to end.
Page 553: Ip Policy Routing Example
ZyWALL 35 User’s Guide The following table describes the fields in this screen. Table 205 Menu 25.1.1: IP Routing Policy Setup FIELD DESCRIPTION LAN/DMZ/ALL Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to apply the policy to packets received on the specific interface(s).
Page 554: Figure 354 Ip Routing Policy Example 1
ZyWALL 35 User’s Guide Figure 354 IP Routing Policy Example 1 Menu 25.1 - IP Routing Policy Setup Rule Index= 1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 192.168.1.33...
Page 555: Figure 355 Ip Routing Policy Example 2
ZyWALL 35 User’s Guide Figure 355 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup Rule Index= 2 Active= No Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 0.0.0.0...
Page 556 ZyWALL 35 User’s Guide Chapter 42 IP Policy Routing...
Page 557: Chapter 43 Call Scheduling
ZyWALL 35 User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 43.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 558: Figure 357 Schedule Set Setup
ZyWALL 35 User’s Guide To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Figure 357 Schedule Set Setup Menu 26.1 - Schedule Set Setup...
Page 559: Figure 358 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 35 User’s Guide Table 206 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field.
Page 560: Figure 359 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL 35 User’s Guide Figure 359 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0...
Page 561: Chapter 44 Vpn/Ipsec Setup
ZyWALL 35 User’s Guide H A P T E R VPN/IPSec Setup This chapter introduces the VPN SMT menus. 44.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1 Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
Page 562: Ipsec Summary Screen
ZyWALL 35 User’s Guide Figure 361 Menu 27: VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: 44.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).
Page 563: Table 207 Menu 27.1: Ipsec Summary
ZyWALL 35 User’s Guide The following table describes the fields in this screen. Table 207 Menu 27.1: IPSec Summary FIELD DESCRIPTION This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here.
Page 564: Ipsec Setup
ZyWALL 35 User’s Guide Table 207 Menu 27.1: IPSec Summary (continued) FIELD DESCRIPTION Addr End / When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is Mask the same (static) IP address as in the Remote Addr Start field.
Page 565: Figure 363 Menu 27.1.1: Ipsec Setup
ZyWALL 35 User’s Guide Figure 363 Menu 27.1.1: IPSec Setup Menu 27.1.1 - IPSec Setup Index= 1 Name= Taiwan Active= Yes Keep Alive= No NAT Traversal= No Local ID type = IP Content: My Addr Type= IP Address= 0.0.0.0 Peer ID type= IP Content: Secure Gateway Address= zwtest.zyxel.com.tw...
Page 566 ZyWALL 35 User’s Guide Table 208 Menu 27.1.1: IPSec Setup (continued) FIELD DESCRIPTION Local ID type Press [SPACE BAR] to choose IP, DNS, or E-mail and press [ENTER]. Select IP to identify this ZyWALL by its IP address. Select DNS to identify this ZyWALL by a domain name.
Page 567 ZyWALL 35 User’s Guide Table 208 Menu 27.1.1: IPSec Setup (continued) FIELD DESCRIPTION Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Method to Pre-shared Key. • For IP, type the IP address of the computer with which you will make the VPN connection.
Page 568 ZyWALL 35 User’s Guide Table 208 Menu 27.1.1: IPSec Setup (continued) FIELD DESCRIPTION When the Addr Type field is configured to Single, this field is N/A. When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 569: Ike Setup
ZyWALL 35 User’s Guide Table 208 Menu 27.1.1: IPSec Setup (continued) FIELD DESCRIPTION Press [SPACE BAR] to choose either IKE or Manual and then press [ENTER]. Manual Management is useful for troubleshooting if you have problems using IKE key management.
Page 570: Table 209 Menu 27.1.1.1: Ike Setup
ZyWALL 35 User’s Guide The following table describes the fields in this screen. Table 209 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION Phase 1 Negotiation Press [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. Mode See earlier for a discussion of these modes. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 571: Manual Setup
ZyWALL 35 User’s Guide Table 209 Menu 27.1.1.1: IKE Setup (continued) FIELD DESCRIPTION Encapsulation Press [SPACE BAR] to choose from Tunnel mode or Transport mode and then press [ENTER]. See earlier for a discussion of these. Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec SA Forward setup.
Page 572: Figure 365 Menu 27.1.1.2: Manual Setup
ZyWALL 35 User’s Guide Figure 365 Menu 27.1.1.2: Manual Setup Menu 27.1.1.2 - Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI (Decimal)= 1234 Encryption Algorithm= DES Key1= 89abcde Key2= N/A Key3= N/A Authentication Algorithm= MD5 Key= 123456789abcde AH Setup...
Page 573 ZyWALL 35 User’s Guide Table 211 Menu 27.1.1.2: Manual Setup (continued) FIELD DESCRIPTION SPI (Decimal) The SPI must be from one to four unique decimal characters ("0" to "9") long. Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER].
Page 574 ZyWALL 35 User’s Guide Chapter 44 VPN/IPSec Setup...
Page 575: Chapter 45 Sa Monitor
ZyWALL 35 User’s Guide H A P T E R SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 45.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
Page 576: Figure 366 Menu 27.2: Sa Monitor
ZyWALL 35 User’s Guide Figure 366 Menu 27.2: SA Monitor Menu 27.2 - SA Monitor Name Encap. IPSec ALgorithm --------------------------------------- ----------------- Taiwan : 3.3.3.1 - 3.3.3.3.100 Tunnel ESP DES MD5 Select Command= Refresh Select Connection= 1 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 577 ZyWALL 35 User’s Guide Table 212 Menu 27.2: SA Monitor (continued) FIELD DESCRIPTION Select Type the VPN connection index number that you want to disconnect and then press Connection [ENTER]. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Page 578 ZyWALL 35 User’s Guide Chapter 45 SA Monitor...
Page 579: Chapter 46 Troubleshooting
ZyWALL 35 User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 580: Problems With The Dmz Interface
ZyWALL 35 User’s Guide 46.3 Problems with the DMZ Interface Table 215 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide servers on the DMZ for DMZ connection instructions.
Page 581: Problems With Internet Access
ZyWALL 35 User’s Guide 46.5 Problems with Internet Access Table 217 Troubleshooting Internet Access PROBLEM CORRECTIVE ACTION Cannot access the Connect your cable/DSL modem with the ZyWALL using the appropriate cable. Internet. Check with the manufacturer of your cable/DSL device about your cable requirement because some devices may require crossover cable and others a regular straight-through cable.
Page 582 ZyWALL 35 User’s Guide Chapter 46 Troubleshooting...
Page 583: Hardware Specifications
ZyWALL 35 User’s Guide Appendix A Hardware Specifications Table 220 General Specifications Power Adaptor Specification Input AC 120V / 60Hz; Output MTBF 100000 hrs (Mean Time Between Failures) Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10/100Mbps Half / Full Auto-negotiation...
Page 584: Figure 367 Console/Dial Backup Port Pin Layout
ZyWALL 35 User’s Guide Figure 367 Console/Dial Backup Port Pin Layout Table 221 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON...
Page 585: Table 223 European Union Ac Power Adaptor Specifications
ZyWALL 35 User’s Guide Table 222 North American AC Power Adaptor Specifications (continued) Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A...
Page 586: Table 225 Japan Ac Power Adaptor Specifications
ZyWALL 35 User’s Guide Table 225 Japan AC Power Adaptor Specifications AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Japan standards Safety standards: T-Mark Table 226 Australia and New Zealand AC Power Adaptor Specification AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A...
Page 587: Setting Up Your Computer's Ip Address
ZyWALL 35 User’s Guide Appendix B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 588: Figure 369 Windows 95/98/Me: Network: Configuration
ZyWALL 35 User’s Guide Figure 369 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 589: Figure 370 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
ZyWALL 35 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 590: Figure 371 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
ZyWALL 35 User’s Guide Figure 371 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
Page 591: Figure 372 Windows Xp: Start Menu
ZyWALL 35 User’s Guide Figure 372 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 373 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Page 592: Figure 374 Windows Xp: Control Panel: Network Connections: Properties
ZyWALL 35 User’s Guide Figure 374 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 375 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 593: Figure 376 Windows Xp: Advanced Tcp/Ip Settings
ZyWALL 35 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 376 Windows XP: Advanced TCP/IP Settings 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 594: Figure 377 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 35 User’s Guide • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 595: Figure 378 Macintosh Os 8/9: Apple Menu
ZyWALL 35 User’s Guide Figure 378 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 379 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix B Setting up Your Computer’s IP Address...
Page 596: Figure 380 Macintosh Os X: Apple Menu
ZyWALL 35 User’s Guide 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 597: Figure 381 Macintosh Os X: Network
ZyWALL 35 User’s Guide Figure 381 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box.
Page 598 ZyWALL 35 User’s Guide Appendix B Setting up Your Computer’s IP Address...
Page 599: Appendix Cip Subnetting
ZyWALL 35 User’s Guide Appendix C IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 600: Table 228 Allowed Ip Address Range By Class
ZyWALL 35 User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
Page 601: Table 230 Alternative Subnet Mask Notation
ZyWALL 35 User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...
Page 602: Table 232 Subnet 1
ZyWALL 35 User’s Guide Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1”...
Page 603: Table 234 Subnet 1
ZyWALL 35 User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
Page 604: Table 238 Eight Subnets
ZyWALL 35 User’s Guide Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet. Table 238 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS The following table is a summary for class “C”...
Page 605: Table 240 Class B Subnet Planning
ZyWALL 35 User’s Guide The following table is a summary for class “B” subnet planning. Table 240 Class B Subnet Planning NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20)
Page 606 ZyWALL 35 User’s Guide Appendix C IP Subnetting...
Page 607: Appendix Dpppoe
ZyWALL 35 User’s Guide Appendix D PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access...
Page 608: Figure 382 Single-Computer Per Router Hardware Configuration
ZyWALL 35 User’s Guide Figure 382 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
Page 609: Appendix Epptp
ZyWALL 35 User’s Guide Appendix E PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband...
Page 610: Figure 385 Pptp Protocol Overview
ZyWALL 35 User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel.
Page 611: Figure 386 Example Message Exchange Between Computer And An Ant
ZyWALL 35 User’s Guide Figure 386 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 612 ZyWALL 35 User’s Guide Appendix E PPTP...
Page 613: Wireless Lan And Ieee 802.11
ZyWALL 35 User’s Guide Appendix F Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection.
Page 614: Figure 387 Peer-To-Peer Communication In An Ad-Hoc Network
ZyWALL 35 User’s Guide Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS). In the most basic form, a wireless LAN connects a set of computers with wireless adapters. Any...
Page 615: Figure 388 Ess Provides Campus-Wide Coverage
ZyWALL 35 User’s Guide Figure 388 ESS Provides Campus-Wide Coverage Appendix F Wireless LAN and IEEE 802.11...
Page 616 ZyWALL 35 User’s Guide Appendix F Wireless LAN and IEEE 802.11...
Page 617: Wireless Lan With Ieee 802.1X
ZyWALL 35 User’s Guide Appendix G Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC...
Page 618: Figure 389 Sequences For Eap Md5-Challenge Authentication
ZyWALL 35 User’s Guide RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Figure 389 Sequences for EAP MD5–Challenge Authentication Appendix G Wireless LAN With IEEE 802.1x...
Page 619: Types Of Eap Authentication
ZyWALL 35 User’s Guide Appendix H Types of EAP Authentication This appendix discusses the five popular EAP authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 620: Table 241 Comparison Of Eap Authentication Types
ZyWALL 35 User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.
Page 621: Appendix I Triangle Route
ZyWALL 35 User’s Guide Appendix I Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 622: Figure 391 "Triangle Route" Problem
ZyWALL 35 User’s Guide Figure 391 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
Page 623: Figure 392 Ip Alias
ZyWALL 35 User’s Guide Figure 392 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 624 ZyWALL 35 User’s Guide Appendix I Triangle Route...
Page 625: Appendix Jsip Passthrough
ZyWALL 35 User’s Guide Appendix J SIP Passthrough The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Page 626: Figure 394 Sip User Agent Server
ZyWALL 35 User’s Guide Table 242 SIP Call Progression (continued) 4. ACK 5.Dialogue (voice traffic) 6. BYE 7. OK 1 A sends a SIP INVITE request to B. This message is an invitation for B to participate in a SIP telephone call.
Page 627: Figure 395 Sip Proxy Server
ZyWALL 35 User’s Guide 1 The client device (A in the figure) sends a call invitation to the SIP proxy server (B). 2 The SIP proxy server forwards the call invitation to C. Figure 395 SIP Proxy Server SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request.
Page 628: Figure 396 Sip Redirect Server
ZyWALL 35 User’s Guide Figure 396 SIP Redirect Server SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your user name and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer.
Page 629: Figure 397 Zywall Sip Alg
ZyWALL 35 User’s Guide ZyXEL SIP ALG • SIP clients can be connected to the LAN, WLAN or DMZ. A SIP server must be on the WAN. The WLAN and DMZ are not available on all models. • You can make and receive calls between the LAN and the WAN, between the WLAN and the WAN and/or between the DMZ and the WAN.
Page 630: Signaling Session Timeout
ZyWALL 35 User’s Guide If the primary WAN connection fails, the SIP client needs to re-register with the SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Page 631: Appendix Kvpn Setup
ZyWALL 35 User’s Guide Appendix K VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes • The private networks behind the IPSec routers must be on different subnets.
Page 632: Figure 398 Vpn Rules
ZyWALL 35 User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Secure Gateway Address and Local/ Remote IP Address Start settings with your own values.
Page 633: Figure 399 Headquarters Vpn Rule Edit
ZyWALL 35 User’s Guide Figure 399 Headquarters VPN Rule Edit IP addresses on different subnets. The IP address of the branch office IPSec router. Appendix K VPN Setup...
Page 634: Figure 400 Branch Office Vpn Rule Edit
ZyWALL 35 User’s Guide Figure 400 Branch Office VPN Rule Edit IP addresses on different subnets. The IP address of the headquarters IPSec router. Dialing the VPN Tunnel via Web Configurator Appendix K VPN Setup...
Page 635: Figure 401 Vpn Rule Configured
ZyWALL 35 User’s Guide To test whether the IPSec routers can build the VPN tunnel, click the dial icon in the VPN Rules screen’s Modify column to have the IPSec routers set up the tunnel. Figure 401 VPN Rule Configured Dial Icon The following screen displays.
Page 636: Figure 403 Vpn Tunnel Established
ZyWALL 35 User’s Guide Figure 403 VPN Tunnel Established VPN Configuration via SMT This section gives a VPN rule configuration example using the SMT. 1 From the main menu, enter 27 to display the first VPN menu (shown next). Figure 404 Menu 27: VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1.
Page 637: Figure 405 Menu 27.1: Ipsec Summary
ZyWALL 35 User’s Guide Figure 405 Menu 27.1: IPSec Summary Menu 27.1 - IPSec Summary Name A Local Addr Start - Addr End / Mask Encap IPSec Algorithm Key Mgt Remote Addr Start - Addr End / Mask Secure Gw Addr...
Page 638: Figure 407 Branch Office Menu 27.1.1: Ipsec Setup
ZyWALL 35 User’s Guide Note: Press [ENTER] at the bottom of each screen to save your configuration. You can press the ‘Up’ arrow at the top of a menu to quickly reach the bottom of the menu. Figure 407 Branch Office Menu 27.1.1: IPSec Setup Menu 27.1.1 - IPSec Setup...
Page 639: Figure 408 Menu 27.1.1.1: Ike Setup
‘ipsec dial n’ (where “n” is the number of the VPN rule) command from the Command Interpreter - Menu 24.8 to have the IPSec device set up the tunnel. Here is an example. Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ipsec dial 1 Tunnel built successfully!
Page 640: Figure 409 Vpn Log Example
ZyWALL 35 User’s Guide VPN Log The system log can often help to identify a configuration problem. Enable IKE & IPSec logging via the web configurator at both ends, clear the log and then build the tunnel. View the log via the web configurator or type ‘sys log disp’ from SMT Menu 24.8. See Appendix S Boot Commands for information on the log messages.
Page 641: Figure 410 Ike/Ipsec Debug Example
<0:None | 1:User | 2:Low | 3:High> ras> ipsec debug type 1 on ras> ipsec debug type 2 on ras> ipsec debug level 3 Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ipsec dial 1 Start dialing for tunnel <rule# 1>... ikeStartNegotiate(): saIndex<0>...
Page 642 ZyWALL 35 User’s Guide Appendix K VPN Setup...
Page 643: Appendix L Importing Certificates
ZyWALL 35 User’s Guide Appendix L Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 644: Figure 412 Login Screen
ZyWALL 35 User’s Guide Figure 412 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 413 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix L Importing Certificates...
Page 645: Figure 414 Certificate Import Wizard 1
ZyWALL 35 User’s Guide Figure 414 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 415 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix L Importing Certificates...
Page 646: Figure 416 Certificate Import Wizard 3
ZyWALL 35 User’s Guide Figure 416 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 417 Root Certificate Store Appendix L Importing Certificates...
Page 647: Figure 418 Certificate General Information After Import
ZyWALL 35 User’s Guide Figure 418 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate...
Page 648: Figure 419 Zywall Trusted Ca Screen
ZyWALL 35 User’s Guide Figure 419 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 649: Figure 420 Ca Certificate Example
ZyWALL 35 User’s Guide Figure 420 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 650: Figure 421 Personal Certificate Import Wizard 1
ZyWALL 35 User’s Guide Figure 421 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.
Page 651: Figure 423 Personal Certificate Import Wizard 3
ZyWALL 35 User’s Guide Figure 423 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 424 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Page 652: Figure 425 Personal Certificate Import Wizard 5
ZyWALL 35 User’s Guide Figure 425 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 426 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 653: Figure 428 Ssl Client Authentication
ZyWALL 35 User’s Guide Figure 428 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 429 ZyWALL Secure Login Screen Appendix L Importing Certificates...
Page 654 ZyWALL 35 User’s Guide Appendix L Importing Certificates...
Page 655: Appendix M Command Interpreter
ZyWALL 35 User’s Guide Appendix M Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 656 ZyWALL 35 User’s Guide Appendix M Command Interpreter...
Page 657: Appendix N Firewall Commands
ZyWALL 35 User’s Guide Appendix N Firewall Commands The following describes the firewall commands. See Appendix M Command Interpreter information on the command structure. Table 243 Firewall Commands FUNCTION COMMAND DESCRIPTION FirewallSet-Up This command turns the firewall on or off.
Page 658 ZyWALL 35 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 659 ZyWALL 35 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 660 ZyWALL 35 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set...
Page 661 ZyWALL 35 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 662 ZyWALL 35 User’s Guide Appendix N Firewall Commands...
Page 663: Netbios Filter Commands
ZyWALL 35 User’s Guide Appendix O NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix M Command Interpreter for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 664: Table 244 Netbios Filter Default Settings
ZyWALL 35 User’s Guide The filter types and their default settings are as follows. Table 244 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN.
Page 665 ZyWALL 35 User’s Guide This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off Appendix O NetBIOS Filter Commands...
Page 666 ZyWALL 35 User’s Guide Appendix O NetBIOS Filter Commands...
Page 667: Table 245 Certificates Commands
ZyWALL 35 User’s Guide Appendix P Certificates Commands The following describes the certificate commands. See Appendix M Command Interpreter information on the command structure. All of these commands start with certificates. Table 245 Certificates Commands COMMAND DESCRIPTION my_cert create Create a self-signed local host certificate.
Page 668 ZyWALL 35 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 669 ZyWALL 35 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models.
Page 670 ZyWALL 35 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
Page 671: Table 246 Brute-Force Password Guessing Protection Commands
ZyWALL 35 User’s Guide Appendix Q Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix M Command Interpreter for information on the command structure.
Page 672 ZyWALL 35 User’s Guide Appendix Q Brute-Force Password Guessing Protection...
Page 673: Appendix R Boot Commands
ZyWALL 35 User’s Guide Appendix R Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 674: Figure 431 Boot Module Commands
ZyWALL 35 User’s Guide Figure 431 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
Page 675: Table 247 System Maintenance Logs
ZyWALL 35 User’s Guide Appendix S Log Descriptions This appendix provides descriptions of example log messages. Table 247 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
Page 676: Table 248 System Error Logs
ZyWALL 35 User’s Guide Table 247 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router is saving configuration changes. Configuration Change: PC = 0x%x, Task ID = 0x%x Someone has logged on to the router’s SSH server. Successful SSH login Someone has failed to log on to the router’s SSH server.
Page 677: Table 250 Tcp Reset Logs
ZyWALL 35 User’s Guide Table 250 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.)
Page 678: Table 253 Cdr Logs
ZyWALL 35 User’s Guide Table 252 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The firewall allowed a triangle route session to pass Triangle route packet forwarded: through. ICMP The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry.
Page 679: Table 255 Upnp Logs
ZyWALL 35 User’s Guide Table 255 UPnP Logs LOG MESSAGE DESCRIPTION UPnP packets can pass through the firewall. UPnP pass through Firewall Table 256 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined keyword.
Page 680: Table 257 Attack Logs
ZyWALL 35 User’s Guide Table 257 Attack Logs LOG MESSAGE DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. attack [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an ICMP attack. For type and code details,...
Page 681: Table 258 Ipsec Logs
ZyWALL 35 User’s Guide Table 258 IPSec Logs LOG MESSAGE DESCRIPTION The router received and discarded a packet with an incorrect Discard REPLAY packet sequence number. The router received a packet that has been altered. A third party may Inbound packet have altered or tampered with the packet.
Page 682 ZyWALL 35 User’s Guide Table 259 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router couldn’t resolve the IP address from the domain Cannot resolve Secure Gateway name that was used for the secure gateway address. Addr for rule <%d> The displayed ID information did not match between the two Peer ID: <peer id>...
Page 683 ZyWALL 35 User’s Guide Table 259 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router was not able to use extended authentication to XAUTH fail! Username: authenticate the listed username. <Username> The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer.
Page 684: Table 260 Pki Logs
ZyWALL 35 User’s Guide Table 259 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES...
Page 685: Table 261 Certificate Path Verification Failure Reason Codes
ZyWALL 35 User’s Guide Table 260 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received directory data that was too large (the size is listed) Rcvd data <size> too from the LDAP server whose address and port are recorded in the large! Max size Source field.
Page 686: Table 262 802.1X Logs
ZyWALL 35 User’s Guide Table 261 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 262 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database.
Page 687: Table 263 Acl Setting Notes
ZyWALL 35 User’s Guide Table 263 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.
Page 688: Table 265 Syslog Logs
ZyWALL 35 User’s Guide Table 264 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request...
Page 689: Figure 432 Displaying Log Categories Example
ZyWALL is to record. 2 Use sys logs category to view a list of the log categories. Figure 432 Displaying Log Categories Example Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ? Valid commands are: exit...
Page 690: Displaying Logs
ZyWALL 35 User’s Guide 5 Step 5.Use the sys logs save command to store the settings in the ZyWALL (you must do this in order to record logs). Displaying Logs • Use the sys logs display command to show all of the logs in the ZyWALL’s log.
Page 691 ZyWALL 35 User’s Guide Index Numerics Bandwidth Management Statistics Bandwidth Manager Class Configuration Bandwidth Manager Class Setup 10/100 Mbps Ethernet WAN Bandwidth Manager Monitor Bandwidth Manager Summary Basic Service Set Blocking Time 204, 205, 206 Bridge Protocol Data Units (BPDUs)
Page 692 ZyWALL 35 User’s Guide Configuration File Upload DSSS File Backup 162, 428 File Upload Dynamic DNS 346, 347 Restoring Files Dynamic DNS Support Content Filtering 51, 207 Dynamic Secure Gateway Address Categories DYNDNS Wildcard Customizing Days and Times Filter List...
Page 693 ZyWALL 35 User’s Guide IP Filter Logic Flow HTTP 173, 175, 303, 566 Finger HTTPS 50, 352 Firewall HTTPS Example Access Methods HyperTerminal 532, 533 Activating HyperTerminal program 524, 527 Address Type Alerts Connection Direction Creating/Editing Rules Custom PortsSee Custom Ports...
Page 694 ZyWALL 35 User’s Guide Active Many to One Destination IP Address Max Age IP Subnet Mask Maximize Bandwidth Usage 324, 329 Name Maximum Incomplete High Route Number Maximum Incomplete Low IP Subnet Mask 432, 441 Max-incomplete High Remote Max-incomplete Low...
Page 695 ZyWALL 35 User’s Guide Offline Quality of Service OK Response Quick Start Guide One Minute High One Minute Low One to One One-Minute High Operation Temperature RADIUS 51, 133 Outgoing Protocol Filters Shared Secret Key Outside RADIUS Message Types Rapid STP...
Page 696 ZyWALL 35 User’s Guide Configuration RTS Threshold Manager RTS/CTS handshake 122, 443 MIBs Rules 185, 188 Trap Checklist Trusted Host Creating Custom SNMP ( Simple Network Management Protocol) Key Fields Source Address 187, 195 LAN to WAN Logic Source-Based Routing...
Page 697 ZyWALL 35 User’s Guide Teardrop VT100 Telnet Telnet Configuration Terminal Emulation TFTP File Upload GUI-based Clients WAN DHCP 516, 517 TFTP and FTP over WAN WAN Setup 79, 425 TFTP Restrictions 352, 522, 545 WAN to LAN Rules Three-Way Handshake...

This manual is also suitable for:

Zywall 70

ZyXEL Communications ZyWall 35 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 LAN Screens

Chapter 5 Bridge Screens

Chapter 6 Wireless LAN and Authentication Server

Chapter 7 WAN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall 35

Summary of Contents for ZyXEL Communications ZyWall 35