Download Print this page

ZyXEL Communications 310 User Manual

ZyXEL Communications 310 User Manual

Vpn firewall

Hide thumbs Also See for 310:

User manual (161 pages)

,

User manual (199 pages)

,

User manual (107 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

ZyWALL 110/310/1100 Series

VPN Firewall

Version 3.10

Edition 2, 02/2013

Quick Start Guide

User's Guide

Default Login Details

LAN Port IP Address

User Name

Password

www.zyxel.com

https://192.168.1.1

admin

1234

Copyright © 2013 ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the 310 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications 310

Page 1 ZyWALL 110/310/1100 Series VPN Firewall Version 3.10 Edition 2, 02/2013 Quick Start Guide User’s Guide Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Copyright © 2013 ZyXEL Communications Corporation...
Page 2 ZyWALL. Note: It is recommended you use the Web Configurator to configure the ZyWALL. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. ZyWALL 110/310/1100 Series User’s Guide...
Page 3: Table Of Contents
4.2.5 Quick Setup Interface Wizard: Summary ................47 4.3 VPN Setup Wizard ..........................48 4.3.1 Welcome ..........................48 4.3.2 VPN Setup Wizard: Wizard Type .....................49 4.3.3 VPN Express Wizard - Scenario .....................50 4.3.4 VPN Express Wizard - Configuration ..................51 ZyWALL 110/310/1100 Series User’s Guide...
Page 4 6.3 Interface Status Screen ........................82 6.4 The Traffic Statistics Screen ......................86 6.5 The Session Monitor Screen ......................89 6.6 The DDNS Status Screen .........................91 6.7 IP/MAC Binding Monitor ........................91 6.8 The Login Users Screen ........................92 6.9 Cellular Status Screen ........................93 ZyWALL 110/310/1100 Series User’s Guide...
Page 5 7.9 Virtual Interfaces ..........................170 7.9.1 Virtual Interfaces Add/Edit .....................171 7.10 Interface Technical Reference .......................172 Chapter 8 Trunk ..............................177 8.1 Overview ............................177 8.1.1 What You Can Do in this Chapter ..................177 8.1.2 What You Need to Know ......................177 ZyWALL 110/310/1100 Series User’s Guide...
Page 6 Chapter 12 DDNS..............................215 12.1 DDNS Overview ..........................215 12.1.1 What You Can Do in this Chapter ..................215 12.1.2 What You Need to Know ......................215 12.2 The DDNS Screen ........................216 12.2.1 The Dynamic DNS Add/Edit Screen ..................217 ZyWALL 110/310/1100 Series User’s Guide...
Page 7 17.1 Inbound Load Balancing Overview ....................247 17.1.1 What You Can Do in this Chapter ..................247 17.2 The Inbound LB Screen ........................248 17.2.1 The Inbound LB Add/Edit Screen ..................249 17.2.2 The Inbound LB Member Add/Edit Screen ................251 ZyWALL 110/310/1100 Series User’s Guide...
Page 8 20.4 VPN Concentrator ........................301 20.4.1 VPN Concentrator Requirements and Suggestions ............302 20.4.2 VPN Concentrator Screen ....................302 20.4.3 The VPN Concentrator Add/Edit Screen ................302 20.5 ZyWALL IPSec VPN Client Configuration Provisioning ..............303 20.6 IPSec VPN Background Information .....................305 ZyWALL 110/310/1100 Series User’s Guide...
Page 9 23.3 View Log ............................342 23.4 Suspend and Resume the Connection ..................343 23.5 Stop the Connection ........................343 23.6 Uninstalling the ZyWALL SecuExtender ..................343 Chapter 24 L2TP VPN............................345 24.1 Overview ............................345 24.1.1 What You Can Do in this Chapter ..................345 ZyWALL 110/310/1100 Series User’s Guide...
Page 10 27.4.2 User Aware Login Example ....................381 27.5 User /Group Technical Reference ....................382 Chapter 28 Addresses ............................384 28.1 Overview ............................384 28.1.1 What You Can Do in this Chapter ..................384 28.1.2 What You Need To Know .....................384 28.2 Address Summary Screen ......................384 ZyWALL 110/310/1100 Series User’s Guide...
Page 11 31.3.1 Adding a RADIUS Server ....................406 Chapter 32 Authentication Method........................409 32.1 Overview ............................409 32.1.1 What You Can Do in this Chapter ..................409 32.1.2 Before You Begin .........................409 32.1.3 Example: Selecting a VPN Authentication Method ..............409 ZyWALL 110/310/1100 Series User’s Guide...
Page 12 36.1 Overview ............................438 36.1.1 What You Can Do in this Chapter ..................438 36.2 The DHCPv6 Request Screen ......................438 36.2.1 DHCPv6 Request Add/Edit Screen ..................439 36.3 The DHCPv6 Lease Screen ......................439 36.3.1 DHCPv6 Lease Add/Edit Screen ..................440 ZyWALL 110/310/1100 Series User’s Guide...
Page 13 37.8.5 Secure Telnet Using SSH Examples ...................475 37.9 Telnet ............................476 37.9.1 Configuring Telnet ........................476 37.10 FTP ............................478 37.10.1 Configuring FTP ........................478 37.11 SNMP ............................479 37.11.1 Supported MIBs .........................480 37.11.2 SNMP Traps ........................481 37.11.3 Configuring SNMP ......................481 ZyWALL 110/310/1100 Series User’s Guide...
Page 14 40.5 The System Log Screen ........................516 Chapter 41 Packet Flow Explore.........................518 41.1 Overview ............................518 41.1.1 What You Can Do in this Chapter ..................518 41.2 The Routing Status Screen ......................518 41.3 The SNAT Status Screen ......................522 ZyWALL 110/310/1100 Series User’s Guide...
Page 15 43.1 Overview ............................526 43.1.1 What You Need To Know .....................526 43.2 The Shutdown Screen ........................526 Chapter 44 Troubleshooting..........................527 44.1 Resetting the ZyWALL ........................535 44.2 Getting More Troubleshooting Help ....................536 Appendix A Legal Information......................537 Index ..............................541 ZyWALL 110/310/1100 Series User’s Guide...
Page 16 ZyWALL 110/310/1100 Series User’s Guide...
Page 17: Chapter 1 Introduction
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also purchase the ZyWALL OTPv2 One-Time Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. ZyWALL 110/310/1100 Series User’s Guide...
Page 18 In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in and cannot access either. ZyWALL 110/310/1100 Series User’s Guide...
Page 19: Management Overview
You can manage the ZyWALL in the following ways. Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 6 Managing the ZyWALL: Web Configurator ZyWALL 110/310/1100 Series User’s Guide...
Page 20: Web Configurator
If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in. ZyWALL 110/310/1100 Series User’s Guide...
Page 21: Web Configurator Screens Overview
The Web Configurator screen is divided into these parts (as illustrated on page 21): • A - title bar • B - navigation panel • C - main window Title Bar Figure 7 Title Bar ZyWALL 110/310/1100 Series User’s Guide...
Page 22: Site Map
This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen. Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 23 If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays. Name This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it displays here. ZyWALL 110/310/1100 Series User’s Guide...
Page 24 Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the web configurator to dislay the corresponding commands. Figure 12 CLI Messages ZyWALL 110/310/1100 Series User’s Guide...
Page 25: Navigation Panel
Displays the status of the ZyWALL’s DDNS domain names. IP/MAC Binding Lists the devices that have received an IP address from ZyWALL interfaces using IP/MAC binding. Login Users Lists the users currently logged into the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 26: Configuration Menu
Exempt List Configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. DNS Inbound DNS Load Configure DNS Load Balancing. Balancing Auth. Policy Define rules to force user authentication. ZyWALL 110/310/1100 Series User’s Guide...
Page 27 System Host Name Configure the system and domain name for the ZyWALL. USB Storage Settings Configure the settings for the connected USB devices. Date/Time Configure the current date, time, and time zone in the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 28: Tables And Lists
Turn off the ZyWALL. 1.3.4 Tables and Lists Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. ZyWALL 110/310/1100 Series User’s Guide...
Page 29 Figure 16 Resizing a Table Column Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. ZyWALL 110/310/1100 Series User’s Guide...
Page 30 [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one. ZyWALL 110/310/1100 Series User’s Guide...
Page 31 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. ZyWALL 110/310/1100 Series User’s Guide...
Page 32 Chapter 1 Introduction ZyWALL 110/310/1100 Series User’s Guide...
Page 33: Installation Setup Wizard
Note: Enter the Internet access information exactly as your ISP gave it to you. • Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. ZyWALL 110/310/1100 Series User’s Guide...
Page 34: Internet Access: Ethernet
• MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long. ZyWALL 110/310/1100 Series User’s Guide...
Page 35: Internet Access: Pptp
• Type a Base IP Address (static) assigned to you by your ISP. • Type the IP Subnet Mask assigned to you by your ISP (if given). • Server IP: Type the IP address of the PPTP server. ZyWALL 110/310/1100 Series User’s Guide...
Page 36: Internet Access - Finish
0.0.0.0 if you do not want to configure DNS servers. 2.1.6 Internet Access - Finish You have set up your ZyWALL to access the Internet. A screen displays with your settings. If they are not correct, click Back. ZyWALL 110/310/1100 Series User’s Guide...
Page 37: Hardware Introduction
Zones None LAN1 LAN2 WLAN wan1 wan2 Interfaces lan1 lan2 ext-wlan Physical Ports Zones None WLAN Interfaces ge1ge2 ge4 ge5 Physical Ports P7 P8 Zones None Interfaces ge1ge2 ge4 ge5 Physical Ports P7 P8 1100 ZyWALL 110/310/1100 Series User’s Guide...
Page 38: Stopping The Zywall
Attach the other bracket in a similar fashion. After attaching both mounting brackets, position the ZyWALL in the rack and up the bracket holes with the rack holes. Secure the ZyWALL to the rack with the rack-mounting screws. ZyWALL 110/310/1100 Series User’s Guide...
Page 39: Wall-Mounting
ZyWALL with the connection cables. Use the holes on the bottom of the ZyWALL to hang the ZyWALL on the screws. 3.5 Front Panel LEDs This section introduces the ZyWALL’s front panel LEDs. ZyWALL 110/310/1100 Series User’s Guide...
Page 40 P1, P2... Green There is no traffic on this port. Blinking The ZyWALL is sending or receiving packets on this port. Orange There is no connection on this port. This port has a successful link. ZyWALL 110/310/1100 Series User’s Guide...
Page 41: Rear Panels
Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole) to a permanent object, such as a pole, to secure the ZyWALL in place. The fans are for cooling the ZyWALL. Make sure they are not obstructed to allow maximum ventilation. ZyWALL 110/310/1100 Series User’s Guide...
Page 42 Chapter 3 Hardware Introduction ZyWALL 110/310/1100 Series User’s Guide...
Page 43: Chapter 4 Quick Setup Wizards
4.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next. ZyWALL 110/310/1100 Series User’s Guide...
Page 44: Choose An Ethernet Interface
WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. ZyWALL 110/310/1100 Series User’s Guide...
Page 45: Configure Wan Settings
Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static. Note: Enter the Internet access information exactly as your ISP gave it to you. ZyWALL 110/310/1100 Series User’s Guide...
Page 46 This displays the identity of the Ethernet interface you configure to connect with a modem or router. Base IP Address Type the (static) IP address assigned to you by your ISP. IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). ZyWALL 110/310/1100 Series User’s Guide...
Page 47: Quick Setup Interface Wizard: Summary
Back Click Back to return to the previous screen. Next Click Next to continue. 4.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface’s settings. Figure 28 Interface Wizard: Summary WAN (PPTP Shown) ZyWALL 110/310/1100 Series User’s Guide...
Page 48: Vpn Setup Wizard
Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 49: Vpn Setup Wizard: Wizard Type
ZLD-based ZyWALL using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 31 VPN Setup Wizard: Wizard Type ZyWALL 110/310/1100 Series User’s Guide...
Page 50: Vpn Express Wizard - Scenario
IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) - Connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL 110/310/1100 Series User’s Guide...
Page 51: Vpn Express Wizard - Configuration
4.3.5 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. ZyWALL 110/310/1100 Series User’s Guide...
Page 52: Vpn Express Wizard - Finish
Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 53: Vpn Advanced Wizard - Scenario
Figure 35 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 31 on page 49 to display the following screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 54: Vpn Advanced Wizard - Phase 1 Settings
4.3.8 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). ZyWALL 110/310/1100 Series User’s Guide...
Page 55 • NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information. ZyWALL 110/310/1100 Series User’s Guide...
Page 56: Vpn Advanced Wizard - Phase 2
You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. ZyWALL 110/310/1100 Series User’s Guide...
Page 57: Vpn Advanced Wizard - Summary
Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 58: Vpn Settings For Configuration Provisioning Wizard: Wizard Type
VPN rules for the ZyWALL IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication • A subnet or range remote policy ZyWALL 110/310/1100 Series User’s Guide...
Page 59: Configuration Provisioning Express Wizard - Vpn Settings
Figure 41 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type 4.4.1 Configuration Provisioning Express Wizard - VPN Settings Click the Express radio button as shown in the previous screen to display the following screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 60: Configuration Provisioning Vpn Express Wizard - Configuration
Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the ZyWALL IPSec VPN Client. 4.4.2 Configuration Provisioning VPN Express Wizard - Configuration Click Next to continue the wizard. ZyWALL 110/310/1100 Series User’s Guide...
Page 61: Vpn Settings For Configuration Provisioning Express Wizard - Summary
4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary This screen has a read-only summary of the VPN tunnel’s configuration and commands you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. ZyWALL 110/310/1100 Series User’s Guide...
Page 62: Vpn Settings For Configuration Provisioning Express Wizard - Finish
VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get all these VPN settings automatically from the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 63: Vpn Settings For Configuration Provisioning Advanced Wizard - Scenario
4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 on page 59 to display the following screen. Figure 46 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings ZyWALL 110/310/1100 Series User’s Guide...
Page 64: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 1 Settings
DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. ZyWALL 110/310/1100 Series User’s Guide...
Page 65: Vpn Settings For Configuration Provisioning Advanced Wizard - Phase 2
1536 bit random number (more secure, yet slower). • Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. ZyWALL 110/310/1100 Series User’s Guide...
Page 66: Vpn Settings For Configuration Provisioning Advanced Wizard - Summary
Now the rule is configured on the ZyWALL. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > ZyWALL 110/310/1100 Series User’s Guide...
Page 67 VPN Connection screen. Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get all these VPN settings automatically from the ZyWALL. Figure 50 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard. ZyWALL 110/310/1100 Series User’s Guide...
Page 68 Chapter 4 Quick Setup Wizards ZyWALL 110/310/1100 Series User’s Guide...
Page 69: Chapter 5 Dashboard
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. ZyWALL 110/310/1100 Series User’s Guide...
Page 70 The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. ZyWALL 110/310/1100 Series User’s Guide...
Page 71 Number of This field displays the number of users currently logged in to the ZyWALL. Click the icon to Login Users pop-open a list of the users who are currently logged in to the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 72 Click the Detail icon to go to a (more detailed) summary screen of interface statistics. This shows how many interfaces there are. Name This field displays the name of each interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 73 Destination Service This displays the service object of the triggered firewall rule. Access This field displays whether the triggered firewall rule denied (silently discarded) or rejected the passage of packets of the triggered firewall rule. ZyWALL 110/310/1100 Series User’s Guide...
Page 74: The Cpu Usage Screen
The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. ZyWALL 110/310/1100 Series User’s Guide...
Page 75: The Memory Usage Screen
Click this to update the information in the window right away. 5.2.3 The Active Sessions Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. ZyWALL 110/310/1100 Series User’s Guide...
Page 76: The Vpn Status Screen
Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in System Status in the dashboard. Figure 55 Dashboard > System Status > VPN Status ZyWALL 110/310/1100 Series User’s Guide...
Page 77: The Dhcp Table Screen
If this field is clear, this entry is a dynamic DHCP entry. The IP address is assigned to a DHCP client. To create a static DHCP entry using an existing dynamic DHCP entry, select this field, and then click Apply. To remove a static DHCP entry, clear this field, and then click Apply. ZyWALL 110/310/1100 Series User’s Guide...
Page 78: The Number Of Login Users Screen
(external user), this field will show its external-group information when you move your mouse over it. If the external user matches two external-group objects, both external-group object names will be shown. Force Logout Click this icon to end a user’s session. ZyWALL 110/310/1100 Series User’s Guide...
Page 79: Chapter 6 Monitor
(Section 6.14 on page 100) screen to view the ZyWALL’s current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 80: The Port Statistics Screen
Up Time This field displays how long the physical port has been connected. System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on. ZyWALL 110/310/1100 Series User’s Guide...
Page 81: The Port Statistics Graph Screen
This field displays the date and time the information in the window was last updated. System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on. ZyWALL 110/310/1100 Series User’s Guide...
Page 82: Interface Status Screen
Chapter 6 Monitor 6.3 Interface Status Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 83 Chapter 6 Monitor Figure 60 Monitor > System Status > Interface Status ZyWALL 110/310/1100 Series User’s Guide...
Page 84 If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. Tunnel Interface This displays the details of the ZyWALL’s configured tunnel interfaces. Status Name This field displays the name of the interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 85 Fault - This VRRP group is not functioning in the virtual router right now. For example, this might happen if the interface is down. n/a - Device HA is not active on the interface. Zone This field displays the zone to which the interface is assigned. ZyWALL 110/310/1100 Series User’s Guide...
Page 86: The Traffic Statistics Screen
ZyWALL counts HTTP GET packets. Please see Table 24 on page 87 for more information. • Most-used protocols or service ports and the amount of traffic on each one ZyWALL 110/310/1100 Series User’s Guide...
Page 87 Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. ZyWALL 110/310/1100 Series User’s Guide...
Page 88 HTTP GET packets. Many Web sites have HTTP GET references to other Web sites, and the ZyWALL counts these as hits too. The count starts over at zero if the number of hits passes the hit count limit. See Table 25 on page ZyWALL 110/310/1100 Series User’s Guide...
Page 89: The Session Monitor Screen
IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. Click Monitor > System Status > Session Monitor to display the following screen. Figure 62 Monitor > System Status > Session Monitor ZyWALL 110/310/1100 Series User’s Guide...
Page 90 This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. ZyWALL 110/310/1100 Series User’s Guide...
Page 91: The Ddns Status Screen
IP/MAC binding enabled and have ever established a session with the ZyWALL. Devices that have never established a session with the ZyWALL do not display in the list. Figure 64 Monitor > System Status > IP/MAC Binding ZyWALL 110/310/1100 Series User’s Guide...
Page 92: The Login Users Screen
Chapter 27 on page 371. Type This field displays the way the user logged in to the ZyWALL. IP Address This field displays the IP address of the computer used to log in to the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 93: Cellular Status Screen
This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL 110/310/1100 Series User’s Guide...
Page 94 Rev.0 or EVDO Rev.A when you insert a CDMA 3G card. Signal Quality This displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider’s base station. ZyWALL 110/310/1100 Series User’s Guide...
Page 95: More Information
This shows the name of the company that produced the 3G device. Device Model This field displays the model name of the cellular card. Device Firmware This shows the software version of the 3G device. ZyWALL 110/310/1100 Series User’s Guide...
Page 96: Usb Storage Screen
This field displays what file system the USB storage device is formatted with. This field displays Unknown if the file system of the USB storage device is not supported by the ZyWALL, such as NTFS. Speed This field displays the connection speed the USB storage device supports. ZyWALL 110/310/1100 Series User’s Guide...
Page 97: The Ipsec Monitor Screen
Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 69 Monitor > VPN Monitor > IPSec ZyWALL 110/310/1100 Series User’s Guide...
Page 98: Regular Expressions In Searching Ipsec Sas
A * in the middle of a VPN connection or policy name has the ZyWALL check the beginning and end and ignore the middle. For example, with “abc*123”, any VPN connection or policy name starting with “abc” and ending in “123” matches, no matter how many characters are in between. ZyWALL 110/310/1100 Series User’s Guide...
Page 99: The Ssl Connection Monitor Screen
6.13 The L2TP over IPSec Session Monitor Screen Click Monitor > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to display and manage the ZyWALL’s connected L2TP VPN sessions. ZyWALL 110/310/1100 Series User’s Guide...
Page 100: Log Screen
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL 110/310/1100 Series User’s Guide...
Page 101 This displays when you show the filter. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. Click this button to update the log using the current filter settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 102 This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL 110/310/1100 Series User’s Guide...
Page 103: Interfaces
• Use the Trunk screens (Chapter 8 on page 177) to configure load balancing. 7.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). ZyWALL 110/310/1100 Series User’s Guide...
Page 104 Table 37 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET CELLULAR VLAN BRIDGE VIRTUAL Name* wan1 lan1, lan2, pppx cellularx vlanx Configurable Zone IP Address Assignment Static IP address DHCP client Routing metric Interface Parameters Bandwidth restrictions ZyWALL 110/310/1100 Series User’s Guide...
Page 105: Relationships Between Interfaces
VLAN interface* bridge interface WAN1, WAN2, OPT* virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface Cellular interface VLAN interface bridge interface PPP interface ZyWALL 110/310/1100 Series User’s Guide...
Page 106 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F). Each block’s 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000. ZyWALL 110/310/1100 Series User’s Guide...
Page 107 • See Section 7.10 on page 172 for background information on interfaces. • See Chapter 8 on page 177 to configure load balancing using trunks. In IPv6, all network interfaces can be associated with several addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 108: What You Need To Do First
• It can increase the bandwidth between the port group and other interfaces. • The port group uses a single MAC address. Click Apply to save your changes and apply them to the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 109: Ethernet Summary Screen
The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 10 on page for background information about these routing protocols. Figure 74 Configuration > Network > Interface > Ethernet ZyWALL 110/310/1100 Series User’s Guide...
Page 110: Ethernet Edit
LAN’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN subnet address object. With RIP, you can use Ethernet interfaces to do the following things. • Enable and disable RIP in the underlying physical port or port group. ZyWALL 110/310/1100 Series User’s Guide...
Page 111 • Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. ZyWALL 110/310/1100 Series User’s Guide...
Page 112 Chapter 7 Interfaces Figure 75 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL 110/310/1100 Series User’s Guide...
Page 113 Chapter 7 Interfaces Figure 76 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL 110/310/1100 Series User’s Guide...
Page 114 Chapter 7 Interfaces Figure 77 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL 110/310/1100 Series User’s Guide...
Page 115 This option appears when Interface Type is external or general. Select this if you Address want to specify the IP address, subnet mask, and gateway manually. IP Address Enter the IP address for this interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 116 ZyWALL will append it to the delegated prefix. For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. ZyWALL 110/310/1100 Series User’s Guide...
Page 117 Get Network prefix and DNS settings) through DHCPv6. Configuration From DHCPv6 Clear this to have the ZyWALL indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message. ZyWALL 110/310/1100 Series User’s Guide...
Page 118 ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix. Address This is the final network prefix combined by the delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen. Interface Parameters ZyWALL 110/310/1100 Series User’s Guide...
Page 119 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL 110/310/1100 Series User’s Guide...
Page 120 This is the name of the DHCP option. Code This is the code number of the DHCP option. Type This is the type of the set value for the DHCP option. Value This is the value set for the DHCP option. ZyWALL 110/310/1100 Series User’s Guide...
Page 121 Enter the cost (between 1 and 65,535) to route packets through this interface. Passive Select this to stop forwarding OSPF routing information from the selected interface. As Interface a result, this interface only receives routing information. ZyWALL 110/310/1100 Series User’s Guide...
Page 122: Object References
When a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. ZyWALL 110/310/1100 Series User’s Guide...
Page 123: Add/Edit Dhcpv6 Request/Release Options
DHCPv6 Server or DHCPv6 Client in the DHCPv6 Setting section, and then click Add in the DHCPv6 Request Options or DHCPv6 Lease Options table. Figure 79 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options ZyWALL 110/310/1100 Series User’s Guide...
Page 124: Add/Edit Dhcp Extended Options
Enterprise ID identifies a company. First Class, If you selected VIVC (124), enter the details of the hardware configuration of the host on Second Class which the client is running, or of industry consortium compliance. ZyWALL 110/310/1100 Series User’s Guide...
Page 125: Ppp Interfaces
TFTP; however, the option may be used for purposes other than contacting a VoIP configuration server. 7.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network. ZyWALL 110/310/1100 Series User’s Guide...
Page 126: Ppp Interface Summary
255.255.255.255. In addition, the ZyWALL always treats the ISP as a gateway. 7.4.1 PPP Interface Summary This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 82 Configuration > Network > Interface > PPP ZyWALL 110/310/1100 Series User’s Guide...
Page 127: Ppp Interface Add Or Edit
> System > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on this screen. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 128 Chapter 7 Interfaces Figure 83 Configuration > Network > Interface > PPP > Add ZyWALL 110/310/1100 Series User’s Guide...
Page 129 Select this if this interface is a DHCP client. In this case, the DHCP server configures Automatically the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Select this if you want to specify the IP address manually. Address ZyWALL 110/310/1100 Series User’s Guide...
Page 130 DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address. Customized If you want to use a customized DUID, enter it here for the interface. DUID ZyWALL 110/310/1100 Series User’s Guide...
Page 131 Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Enter the number of consecutive failures before the ZyWALL stops routing through the Tolerance gateway. Check Default Select this to use the default gateway for the connectivity check. Gateway ZyWALL 110/310/1100 Series User’s Guide...
Page 132: Cellular Configuration Screen (3G)
• You can set the 3G device to connect only to the home network, which is the network to which you are originally subscribed. • You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable. ZyWALL 110/310/1100 Series User’s Guide...
Page 133 To change your 3G WAN settings, click Configuration > Network > Interface > Cellular. Note: Install (or connect) a compatible 3G USB device to use a cellular connection. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. ZyWALL 110/310/1100 Series User’s Guide...
Page 134: Cellular Add/Edit Screen
To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that contains the 3G device, then the following screen displays. ZyWALL 110/310/1100 Series User’s Guide...
Page 135 Chapter 7 Interfaces Figure 85 Configuration > Network > Interface > Cellular > Add ZyWALL 110/310/1100 Series User’s Guide...
Page 136 Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: None: No authentication for outgoing calls. CHAP - Your ZyWALL accepts CHAP requests only. PAP - Your ZyWALL accepts PAP requests only. ZyWALL 110/310/1100 Series User’s Guide...
Page 137 Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available. Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available. ZyWALL 110/310/1100 Series User’s Guide...
Page 138 Select UMTS / HSDPA (WCDMA) only to have this interface only use a 3G or 3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network. ZyWALL 110/310/1100 Series User’s Guide...
Page 139 Enter a number from 1 to 99 in the percentage fields. If you % of data budget change the value after you configure and enable budget control, the ZyWALL resets the statistics. ZyWALL 110/310/1100 Series User’s Guide...
Page 140: Tunnel Interfaces
IPv6 On the ZyWALL, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method: IPv6-in-IPv4 Tunneling Use this mode on the WAN of the ZyWALL if ZyWALL 110/310/1100 Series User’s Guide...
Page 141 An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following: 2002:[a public IPv4 address in hexadecimal]::/48 For example, A public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is ca.9c.1E.29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48. ZyWALL 110/310/1100 Series User’s Guide...
Page 142: Configuring A Tunnel
Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with any interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 143: Tunnel Add Or Edit Screen
Click Reset to begin configuring this screen afresh. 7.6.2 Tunnel Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Network > Interface > Tunnel > Add (or Edit) to open the following screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 144 The format is tunnelx, where x is 0 - 3. For example, tunnel0. Zone Use this field to select the zone to which this interface belongs. This controls what security settings the ZyWALL applies to this interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 145 Address Automatic displays in this field if you are configuring a 6to4 tunnel. It means the 6to4 tunnel will help forward packets to the corresponding remote gateway automatically by looking at the packet’s destination address. ZyWALL 110/310/1100 Series User’s Guide...
Page 146 Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 147: Vlan Interfaces
VLAN, not each physical network. • Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router. ZyWALL 110/310/1100 Series User’s Guide...
Page 148: Vlan Summary Screen
IPv6 in the Configuration > System > IPv6 screen, you can also configure VLAN interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration > Network > Interface > VLAN. ZyWALL 110/310/1100 Series User’s Guide...
Page 149 This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. Mask This field displays the interface’s subnet mask in dot decimal notation. ZyWALL 110/310/1100 Series User’s Guide...
Page 150: Vlan Add/Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Create Virtual Interface icon in the VLAN Summary screen. The following screen appears. ZyWALL 110/310/1100 Series User’s Guide...
Page 151 Chapter 7 Interfaces Figure 95 Configuration > Network > Interface > VLAN > Create Virtual Interface ZyWALL 110/310/1100 Series User’s Guide...
Page 152 This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL 110/310/1100 Series User’s Guide...
Page 153 IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. Address This field displays the combined IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 154 Select this to have the ZyWALL indicate to hosts to obtain DNS information through Get Other DHCPv6. Configuration From DHCPv6 Clear this to have the ZyWALL indicate to hosts that DNS information is not available in this network. ZyWALL 110/310/1100 Series User’s Guide...
Page 155 Allowed values are 0 - 1048576. Ingress This is reserved for future use. Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. ZyWALL 110/310/1100 Series User’s Guide...
Page 156 If this field is blank, the Pool Size must also be blank. In this case, the ZyWALL can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. ZyWALL 110/310/1100 Series User’s Guide...
Page 157 Configure a list of static IP addresses the ZyWALL assigns to computers connected to Table the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. ZyWALL 110/310/1100 Series User’s Guide...
Page 158 The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. This field is available if the Authentication is MD5. Type the ID for MD5 Authentication authentication. The ID can be between 1 and 255. ZyWALL 110/310/1100 Series User’s Guide...
Page 159: Bridge Interfaces
There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 54 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A ZyWALL 110/310/1100 Series User’s Guide...
Page 160: Bridge Summary
IPv6 in the Configuration > System > IPv6 screen, you can also configure bridge interfaces used for your IPv6 network on this screen. To access this screen, click Configuration > Network > Interface > Bridge. ZyWALL 110/310/1100 Series User’s Guide...
Page 161 This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 162: Bridge Add/Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Create Virtual Interface icon in the Bridge Summary screen. The following screen appears. ZyWALL 110/310/1100 Series User’s Guide...
Page 163 Chapter 7 Interfaces Figure 97 Configuration > Network > Interface > Bridge > Create Virtual Interface ZyWALL 110/310/1100 Series User’s Guide...
Page 164 Select this if this interface is a DHCP client. In this case, the DHCP server configures Automatically the IP address, subnet mask, and gateway automatically. Use Fixed IP Select this if you want to specify the IP address, subnet mask, and gateway manually. Address ZyWALL 110/310/1100 Series User’s Guide...
Page 165 Select an entry and click this to delete it from this table. This field is a sequential value, and it is not associated with any entry. Delegated Select the DHCPv6 request object to use from the drop-down list. Prefix ZyWALL 110/310/1100 Series User’s Guide...
Page 166 When Relay is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server. IPv6 Router Advertisement Setting Enable Router Select this to enable this interface to send router advertisement messages periodically. Advertisement IPv6 Router Advertisement on page 107 for more information. ZyWALL 110/310/1100 Series User’s Guide...
Page 167 You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix. ZyWALL 110/310/1100 Series User’s Guide...
Page 168 From ISP - select the DNS server that another interface received from its DHCP server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL 110/310/1100 Series User’s Guide...
Page 169 ZyWALL stops routing to the gateway. The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check. ZyWALL 110/310/1100 Series User’s Guide...
Page 170: Virtual Interfaces
MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. ZyWALL 110/310/1100 Series User’s Guide...
Page 171: Virtual Interfaces Add/Edit
ZyWALL uses the one that was configured first. Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send Bandwidth through the interface to the network. Allowed values are 0 - 1048576. ZyWALL 110/310/1100 Series User’s Guide...
Page 172: Interface Technical Reference
DHCP clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients. ZyWALL 110/310/1100 Series User’s Guide...
Page 173 IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL 110/310/1100 Series User’s Guide...
Page 174 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL 110/310/1100 Series User’s Guide...
Page 175 The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL 110/310/1100 Series User’s Guide...
Page 176 Chapter 7 Interfaces ZyWALL 110/310/1100 Series User’s Guide...
Page 177: Chapter 8 Trunk
ZyWALL can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. ZyWALL 110/310/1100 Series User’s Guide...
Page 178 Here the ZyWALL has two WAN interfaces connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL 110/310/1100 Series User’s Guide...
Page 179 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to wan1 and one session's traffic to wan2 in each round of 3 new sessions. Figure 102 Weighted Round Robin Algorithm Example ZyWALL 110/310/1100 Series User’s Guide...
Page 180: The Trunk Summary Screen
Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 104 Configuration > Network > Interface > Trunk ZyWALL 110/310/1100 Series User’s Guide...
Page 181: Configuring A User-Defined Trunk
Click Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the following screen. Use this screen to create or edit a WAN trunk entry. ZyWALL 110/310/1100 Series User’s Guide...
Page 182 This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is important since they are used in the order they are listed. ZyWALL 110/310/1100 Series User’s Guide...
Page 183: Configuring The System Default Trunk
Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk. ZyWALL 110/310/1100 Series User’s Guide...
Page 184 Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second. ZyWALL 110/310/1100 Series User’s Guide...
Page 185 The ZyWALL uses the group member interfaces in the order that they are listed. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 186 Chapter 8 Trunk ZyWALL 110/310/1100 Series User’s Guide...
Page 187: Policy And Static Routes
• Use the Policy Route screens (see Section 9.2 on page 189) to list and configure policy routes. • Use the Static Route screens (see Section 9.3 on page 195) to list and configure static routes. ZyWALL 110/310/1100 Series User’s Guide...
Page 188: What You Need To Know
CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. ZyWALL 110/310/1100 Series User’s Guide...
Page 189: Policy Route Screen
IPPR follows the existing packet filtering facility of RAS in style and in implementation. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 190 This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 191: Policy Route Edit Screen
Edit icon in the IPv4 Configuration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Address Translation (SNAT) settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 192 Chapter 9 Policy and Static Routes Figure 109 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL 110/310/1100 Series User’s Guide...
Page 193 VPN tunnel and you enable Auto Destination Address, the ZyWALL uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL 110/310/1100 Series User’s Guide...
Page 194 ZyWALL send traffic that matches the policy route through the specified interface. Auto-Disable This field displays when you select Interface or Trunk in the Type field. Select this to have the ZyWALL automatically disable this policy route when the next hop’s connection is down. ZyWALL 110/310/1100 Series User’s Guide...
Page 195: Ip Static Route Screen
OSPF to propagate the routing information to other routers. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure static routes used for your IPv6 networks on this screen. Figure 111 Configuration > Network > Routing > Static Route ZyWALL 110/310/1100 Series User’s Guide...
Page 196: Static Route Add/Edit Screen
Figure 112 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 113 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) ZyWALL 110/310/1100 Series User’s Guide...
Page 197: Policy Routing Technical Reference
If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces ZyWALL 110/310/1100 Series User’s Guide...
Page 198 (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL 110/310/1100 Series User’s Guide...
Page 199: Routing Protocols
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts ZyWALL 110/310/1100 Series User’s Guide...
Page 200 This field is available if the Authentication is MD5. Type the password for MD5 Authentication Key authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL 110/310/1100 Series User’s Guide...
Page 201: The Ospf Screen
32-bit ID. In OSPF, this number may be expressed as an integer or as an IP address. There are several types of areas. • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. ZyWALL 110/310/1100 Series User’s Guide...
Page 202 • An internal router (IR) only exchanges routing information with other routers in the same area. • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL 110/310/1100 Series User’s Guide...
Page 203 In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. ZyWALL 110/310/1100 Series User’s Guide...
Page 204: Configuring The Ospf Screen
In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. Click Configuration > Network > Routing > OSPF to open the following screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 205 “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. Area This section displays information about OSPF areas in the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 206: Ospf Area Add/Edit Screen
OSPF summary screen (see Section 10.3 on page 201), and click either the Add icon or an Edit icon. Figure 119 Configuration > Network > Routing > OSPF > Add ZyWALL 110/310/1100 Series User’s Guide...
Page 207 ID and key. Same as Area has the virtual link also use the Authentication settings above. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 208: Virtual Link Add/Edit Screen
16 characters long. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 10.4 Routing Protocol Technical Reference Here is more detailed information about RIP and OSPF. ZyWALL 110/310/1100 Series User’s Guide...
Page 209 Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL 110/310/1100 Series User’s Guide...
Page 210 Chapter 10 Routing Protocols ZyWALL 110/310/1100 Series User’s Guide...
Page 211: Zones
11.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 212: The Zone Screen
The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 122 Configuration > Network > Zone ZyWALL 110/310/1100 Series User’s Guide...
Page 213: Zone Edit
The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 11.2 on page 212), and click the Add icon or an Edit icon. Figure 123 Network > Zone > Add ZyWALL 110/310/1100 Series User’s Guide...
Page 214 Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 215: Chapter 12 Ddns
Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. ZyWALL 110/310/1100 Series User’s Guide...
Page 216: The Ddns Screen
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. ZyWALL 110/310/1100 Series User’s Guide...
Page 217: The Dynamic Dns Add/Edit Screen
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is read-only when you are editing an entry. DDNS Type Select the type of DDNS service you are using. ZyWALL 110/310/1100 Series User’s Guide...
Page 218 The ZyWALL still sends the static IP address to the DDNS server. Custom IP This field is only available when the IP Address is Custom. Type the IP address to use for the domain name. ZyWALL 110/310/1100 Series User’s Guide...
Page 219 DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 220 Chapter 12 DDNS ZyWALL 110/310/1100 Series User’s Guide...
Page 221: Chapter 13 Nat
You can also create new NAT rules and edit or delete existing ones. 13.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. • See Section 13.3 on page 225 for technical background information related to these screens. ZyWALL 110/310/1100 Series User’s Guide...
Page 222: The Nat Screen
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 223: The Nat Add/Edit Screen
The private and public ranges must have the same number of IP addresses. One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. ZyWALL 110/310/1100 Series User’s Guide...
Page 224 NAT rule supports. Mapped Start Port This field is available if Mapping Type is Ports. Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet. ZyWALL 110/310/1100 Series User’s Guide...
Page 225: Nat Technical Reference
For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. ZyWALL 110/310/1100 Series User’s Guide...
Page 226 (1.1.1.1). If the SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. ZyWALL 110/310/1100 Series User’s Guide...
Page 227 Chapter 13 NAT Figure 131 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL 110/310/1100 Series User’s Guide...
Page 228 Chapter 13 NAT ZyWALL 110/310/1100 Series User’s Guide...
Page 229: Chapter 14 Http Redirect
A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 230: The Http Redirect Screen
To configure redirection of a HTTP request to a proxy server, click Configuration > Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules. Note: You can configure up to one HTTP redirect rule for each (incoming) interface. ZyWALL 110/310/1100 Series User’s Guide...
Page 231: The Http Redirect Edit Screen
Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 134 Network > HTTP Redirect > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 232 Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 233: Chapter 15 Alg
(such as SIP) to operate properly through the ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT session and firewall session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types. ZyWALL 110/310/1100 Series User’s Guide...
Page 234 • The SIP ALG allows UDP packets with a specified port destination to pass through. • The ZyWALL allows SIP audio connections. • You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the ZyWALL when you enable the SIP ALG. ZyWALL 110/310/1100 Series User’s Guide...
Page 235 B to receive calls through public WAN IP address 2. You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address and calls from LAN IP address B go out through WAN IP address 2. ZyWALL 110/310/1100 Series User’s Guide...
Page 236: Before You Begin
Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs. Figure 139 Configuration > Network > ALG ZyWALL 110/310/1100 Series User’s Guide...
Page 237 If you are also using FTP on an additional TCP port number, enter it here. Port for Transformations Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 238: Alg Technical Reference
SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks. ZyWALL 110/310/1100 Series User’s Guide...
Page 239 Chapter 15 ALG When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL 110/310/1100 Series User’s Guide...
Page 240 Chapter 15 ALG ZyWALL 110/310/1100 Series User’s Guide...
Page 241: Chapter 16 Ip/Mac Binding
244) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. 16.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. ZyWALL 110/310/1100 Series User’s Guide...
Page 242: Ip/Mac Binding Summary
Click Apply to save your changes back to the ZyWALL. 16.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Use this screen to configure an interface’s IP to MAC address binding settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 243: Static Dhcp Edit
Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an interface’s IP to MAC address binding settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 244: Ip/Mac Binding Exempt List
Table 91 Configuration > Network > IP/MAC Binding > Exempt List LABEL DESCRIPTION Click this to create a new entry. Edit Click an entry or select it and click Edit to modify the entry’s settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 245 Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 246 Chapter 16 IP/MAC Binding ZyWALL 110/310/1100 Series User’s Guide...
Page 247: Inbound Load Balancing
Ask 1.1.1.1. 1.1.1.1 Internet 2.2.2.2 17.1.1 What You Can Do in this Chapter • Use the Inbound LB screen (see Section 17.2 on page 248) to view a list of the configured DNS load balancing rules. ZyWALL 110/310/1100 Series User’s Guide...
Page 248: The Inbound Lb Screen
This field displays the order in which the ZyWALL checks the member interfaces of this DNS load balancing rule. Query Domain Name This field displays the domain name for which the ZyWALL manages load balancing between the specified interfaces. ZyWALL 110/310/1100 Series User’s Guide...
Page 249: The Inbound Lb Add/Edit Screen
You can configure the ZyWALL to apply DNS load balancing to some specific hosts only by configuring the Query From settings. Click Configuration > Network > Inbound LB and then the Add or Edit icon to open this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 250 DNS servers to resolve the name. You have to configure this field to the client’s IP address when iteration is used. Zone Select the zone of DNS query messages upon which to apply this rule. Load Balancing Member ZyWALL 110/310/1100 Series User’s Guide...
Page 251: The Inbound Lb Member Add/Edit Screen
The Add Load Balancing Member screen allows you to add a member interface for the DNS load balancing rule. Click Configuration > Network > Inbound LB > Add or Edit and then an Add or Edit icon to open this screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 252 DNS query senders. Custom Select this and enter another IP address to send to the DNS query senders. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 110/310/1100 Series User’s Guide...
Page 253: Authentication Policy
Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. ZyWALL 110/310/1100 Series User’s Guide...
Page 254: Authentication Policy Screen
18.2 Authentication Policy Screen The Authentication Policy screen displays the authentication policies you have configured on the ZyWALL. Click Configuration > Auth. Policy to display the screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 255 Keeping DNS as a member allows users’ computers to resolve domain names into IP addresses. Figure 151 Configuration > Auth. Policy > Add Exceptional Service In the table, select one or more entries and click Remove to delete it or them. ZyWALL 110/310/1100 Series User’s Guide...
Page 256: Creating/Editing An Authentication Policy
Click this button to return the screen to its last-saved settings. 18.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL 110/310/1100 Series User’s Guide...
Page 257 This field is available for the default policy. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or not (no) for packets that match the default policy. Chapter 38 on page 485 for more on logs. ZyWALL 110/310/1100 Series User’s Guide...
Page 258: User-Aware Access Control Example
Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK. Figure 153 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining user accounts. ZyWALL 110/310/1100 Series User’s Guide...
Page 259: Set Up User Groups
Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address, authentication port (1812 if you were not told otherwise), and key. Select case-sensitive if the RADIUS server checks user name casing. Click Apply. ZyWALL 110/310/1100 Series User’s Guide...
Page 260 Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. ZyWALL 110/310/1100 Series User’s Guide...
Page 261: User Group Authentication Using The Radius Server
If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server. ZyWALL 110/310/1100 Series User’s Guide...
Page 262 Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. Figure 160 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining groups of user accounts. ZyWALL 110/310/1100 Series User’s Guide...
Page 263 Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide...
Page 264 Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide...
Page 265: Chapter 19 Firewall
Firewall rules are grouped based on the direction of travel of packets to which they apply. Here is example firewall behavior for traffic going through the ZyWALL in various directions. See the Configuration > Firewall screen for default firewall behavior. ZyWALL 110/310/1100 Series User’s Guide...
Page 266 See Chapter 37 on page 443 for more information about service control (remote management). The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 267 ZyWALL. The ZyWALL lets you limit the number of concurrent NAT/firewall sessions a client can use. Finding Out More • See Section 19.4 on page 276 for an example of creating firewall rules as part of configuring user-aware access control. ZyWALL 110/310/1100 Series User’s Guide...
Page 268: The Firewall Screen
Specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction. Note the following. ZyWALL 110/310/1100 Series User’s Guide...
Page 269 LAN IP address as the destination. • The ordering of your rules is very important as rules are applied in sequence. ZyWALL 110/310/1100 Series User’s Guide...
Page 270 Chapter 19 Firewall Figure 163 Configuration > Firewall ZyWALL 110/310/1100 Series User’s Guide...
Page 271 Default displays for the default firewall behavior that the ZyWALL performs on traffic that does not match any other firewall rule. From This is the direction of travel of packets to which the firewall rule applies. ZyWALL 110/310/1100 Series User’s Guide...
Page 272: The Firewall Add/Edit Screen
Table 99 Configuration > Firewall > Add LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Enable Select this check box to activate the firewall rule. ZyWALL 110/310/1100 Series User’s Guide...
Page 273: The Session Limit Screen
Use this screen to limit the number of concurrent NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. ZyWALL 110/310/1100 Series User’s Guide...
Page 274 Status This icon is lit when the entry is active and dimmed when the entry is inactive. This is the index number of a session limit rule. It is not associated with a specific rule. ZyWALL 110/310/1100 Series User’s Guide...
Page 275: The Session Limit Add/Edit Screen
Select the IPv4 source address or address group to which this rule applies. Select any to apply the rule to all IPv4 source addresses. IPv6 Address Select the IPv6 source address or address group to which this rule applies. Select any to apply the rule to all IPv6 source addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 276: Firewall Rule Configuration Example
Configure it as follows and click OK. Figure 168 Firewall Example: Create an Address Object Click Create new Object > Service to configure a service object for Doom (UDP port 666). Configure it as follows and click OK. ZyWALL 110/310/1100 Series User’s Guide...
Page 277 Click OK when you are done. Figure 170 Firewall Example: Edit a Firewall Rule The firewall rule appears in the firewall rule summary. Figure 171 Firewall Example: Doom Rule in Summary ZyWALL 110/310/1100 Series User’s Guide...
Page 278: Firewall Rule Example Applications
• Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 173 for information on DHCP). ZyWALL 110/310/1100 Series User’s Guide...
Page 279 • The second row blocks LAN1 access to the IRC service on the WAN. • The third row is the firewall’s default policy of allowing all traffic from the LAN1 to go to the WAN. ZyWALL 110/310/1100 Series User’s Guide...
Page 280 The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules. ZyWALL 110/310/1100 Series User’s Guide...
Page 281: Ipsec Vpn
Here a user uses his browser to securely connect to network resources in the same way as if he were part of the internal network. See Chapter 21 on page 317 for more on SSL VPN. ZyWALL 110/310/1100 Series User’s Guide...
Page 282: What You Can Do In This Chapter
VPN connections into a single secure network. • Use the Configuration Provisioning screen (see Section 20.5 on page 303) to set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client. ZyWALL 110/310/1100 Series User’s Guide...
Page 283: What You Need To Know
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL 110/310/1100 Series User’s Guide...
Page 284: Before You Begin
20.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. ZyWALL 110/310/1100 Series User’s Guide...
Page 285: The Vpn Connection Screen
VPN connection (each IPSec SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 178 Configuration > VPN > IPSec VPN > VPN Connection ZyWALL 110/310/1100 Series User’s Guide...
Page 286: The Vpn Connection Add/Edit (Ike) Screen
The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. To access this screen, go to the Configuration > VPN Connection screen (see Section 20.2 on page 285), and click either the Add icon or an Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 287 Chapter 20 IPSec VPN Figure 179 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL 110/310/1100 Series User’s Guide...
Page 288 Note: Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA. Policy Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. ZyWALL 110/310/1100 Series User’s Guide...
Page 289 The ZyWALL and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. ZyWALL 110/310/1100 Series User’s Guide...
Page 290 Make sure one of these is the peer gateway’s LAN Address in the IP address. Remote Policy Select this to have the ZyWALL generate a log every time it checks this VPN connection. Inbound/Outbound traffic NAT Outbound Traffic ZyWALL 110/310/1100 Series User’s Guide...
Page 291 These fields are available if the protocol is TCP or UDP. Enter the translated / Mapped Port End destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range. ZyWALL 110/310/1100 Series User’s Guide...
Page 292: The Vpn Connection Add/Edit Manual Key Screen
Note: Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA. Figure 180 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key ZyWALL 110/310/1100 Series User’s Guide...
Page 293 Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL 110/310/1100 Series User’s Guide...
Page 294: The Vpn Gateway Screen
ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears. ZyWALL 110/310/1100 Series User’s Guide...
Page 295: The Vpn Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 20.3 on page 294), and click either the Add icon or an Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 296 Chapter 20 IPSec VPN Figure 182 Configuration > VPN > IPSec VPN > VPN Gateway > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 297 "0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL 110/310/1100 Series User’s Guide...
Page 298 Any - the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate ZyWALL 110/310/1100 Series User’s Guide...
Page 299 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. ZyWALL 110/310/1100 Series User’s Guide...
Page 300 Server Mode Select this if the ZyWALL authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the ZyWALL authenticates this information. ZyWALL 110/310/1100 Series User’s Guide...
Page 301: Vpn Concentrator
VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers. ZyWALL 110/310/1100 Series User’s Guide...
Page 302: Vpn Concentrator Requirements And Suggestions
Use the VPN Concentrator Add/Edit screen to create or edit a VPN concentrator. To access this screen, go to the VPN Concentrator summary screen (see Section 20.4 on page 301), and click either the Add icon or an Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 303: Zywall Ipsec Vpn Client Configuration Provisioning
VPN rules for the ZyWALL IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication • A subnet or range remote policy ZyWALL 110/310/1100 Series User’s Guide...
Page 304 Activate To turn on an entry, select it and click Activate. Make sure that Enable Configuration Provisioning is also selected. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL 110/310/1100 Series User’s Guide...
Page 305: Ipsec Vpn Background Information
IPSec router can have any IP address. In this case, only the remote IPSec router can initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec router. This is often used for telecommuters. ZyWALL 110/310/1100 Series User’s Guide...
Page 306 • SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data. • SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data. Diffie-Hellman (DH) Key Exchange on page 307 for more information about DH key groups. ZyWALL 110/310/1100 Series User’s Guide...
Page 307 Remote IPSec router identity, consisting of - ID type - content You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. ZyWALL 110/310/1100 Series User’s Guide...
Page 308 This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. ZyWALL 110/310/1100 Series User’s Guide...
Page 309 • Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support. ZyWALL 110/310/1100 Series User’s Guide...
Page 310 The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). ZyWALL 110/310/1100 Series User’s Guide...
Page 311 If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. ZyWALL 110/310/1100 Series User’s Guide...
Page 312 (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one. ZyWALL 110/310/1100 Series User’s Guide...
Page 313 For example, in Figure 192 on page 313, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). ZyWALL 110/310/1100 Series User’s Guide...
Page 314 (VPN_GW_EXAMPLE here). Set My Address to Interface and select a WAN interface. Set Peer Gateway Address to Static Address and enter the remote IPSec router’s public IP address (2.2.2.2 here) as the Primary. Set Authentication to Pre-Shared Key and enter 12345678. Click ZyWALL 110/310/1100 Series User’s Guide...
Page 315 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Set VPN Gateway to Site-to- site and select the VPN gateway you configured (VPN_GW_EXAMPLE). Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the remote. Click OK. ZyWALL 110/310/1100 Series User’s Guide...
Page 316 Chapter 20 IPSec VPN ZyWALL 110/310/1100 Series User’s Guide...
Page 317: Ssl Vpn
• limit user access to specific applications or file sharing server on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. ZyWALL 110/310/1100 Series User’s Guide...
Page 318: The Ssl Access Privilege Screen
SSL application objects. 21.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 195 VPN > SSL VPN > Access Privilege ZyWALL 110/310/1100 Series User’s Guide...
Page 319: The Ssl Access Policy Add/Edit Screen
Click Reset to discard all changes. 21.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 320 Table 118 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen. Object Configuration Enable Policy Select this option to activate this SSL access policy. ZyWALL 110/310/1100 Series User’s Guide...
Page 321 Select the name of the DNS or WINS server whose information the ZyWALL sends to the Server 1..2 remote users. This allows them to access devices on the local network using domain names instead of IP addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 322: The Ssl Global Setting Screen
Specify the IP address of the ZyWALL (or a gateway device) for full tunnel mode SSL VPN Extension Local access. Leave this field to the default settings unless it conflicts with another interface. SSL VPN Login Domain Name ZyWALL 110/310/1100 Series User’s Guide...
Page 323: How To Upload A Custom Logo
Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format. Click Apply to start the file transfer process. Log in as a user to verify that the new logo displays properly. The following shows an example logo on the remote user screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 324: Ssl Vpn Example
Enable the policy. Enter a descriptive name in the Name field (“SSL-Example” here). Select the users to which to give access (the Sales user group here). Select the SSL application object you created (“WebExample” here). Click OK. ZyWALL 110/310/1100 Series User’s Guide...
Page 325 Your computer starts establishing a secure connection to the ZyWALL after the login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue. ZyWALL 110/310/1100 Series User’s Guide...
Page 326 If the user account is not included in an SSL VPN access policy, the ZyWALL redirects the user to the user aware screen. For more information on user portal screens, refer to Chapter 22 on page 327. ZyWALL 110/310/1100 Series User’s Guide...
Page 327: Ssl User Screens
Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above ZyWALL 110/310/1100 Series User’s Guide...
Page 328: Remote Ssl User Login
Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 200 Enter the Address in a Web Browser Click OK or Yes if a security screen displays. ZyWALL 110/310/1100 Series User’s Guide...
Page 329 If a certificate warning screen displays, click OK, Yes or Continue. Figure 203 Java Needed Message The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. ZyWALL 110/310/1100 Series User’s Guide...
Page 330 The ZyWALL tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 206 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer. ZyWALL 110/310/1100 Series User’s Guide...
Page 331: The Ssl Vpn User Screens
332 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. 22.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. ZyWALL 110/310/1100 Series User’s Guide...
Page 332: Bookmarking The Zywall
ZyWALL using the bookmark without having to enter the address every time. In any remote user screen, click the Add to Favorite icon. A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. ZyWALL 110/310/1100 Series User’s Guide...
Page 333: Logging Out Of The Ssl Vpn User Screens
(Web Server) or web-based e-mail using Microsoft Outlook Web Access (OWA). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. ZyWALL 110/310/1100 Series User’s Guide...
Page 334: Ssl User File Sharing
22.7.1 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) available. The following figure shows an example with one file share. ZyWALL 110/310/1100 Series User’s Guide...
Page 335: Opening A File Or Folder
If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue. Figure 214 File Sharing: Enter Access User Name and Password ZyWALL 110/310/1100 Series User’s Guide...
Page 336: Downloading A File
22.7.4 Saving a File After you have opened a file in a web browser, you can save a copy of the file by clicking File > Save As and following the on-screen instructions. ZyWALL 110/310/1100 Series User’s Guide...
Page 337: Creating A New Folder
Figure 217 File Sharing: Create a New Folder 22.7.6 Renaming a File or Folder To rename a file or folder, select a file or folder and click the Rename icon. Figure 218 File Sharing: Rename ZyWALL 110/310/1100 Series User’s Guide...
Page 338: Deleting A File Or Folder
Click OK to send the file to the file server. After the file is uploaded successfully, you should see the name of the file and a message in the screen. Figure 220 File Sharing: File Upload ZyWALL 110/310/1100 Series User’s Guide...
Page 339 Chapter 22 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed. ZyWALL 110/310/1100 Series User’s Guide...
Page 340 Chapter 22 SSL User Screens ZyWALL 110/310/1100 Series User’s Guide...
Page 341: Zywall Secuextender
• Red: the SSL VPN tunnel is not connected. You cannot connect to the SSL application and network resources. 23.2 Status Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s connection status and activity statistics. ZyWALL 110/310/1100 Series User’s Guide...
Page 342: View Log
If you have problems with the ZyWALL SecuExtender, customer support may request you to provide information from the log. Right-click the ZyWALL SecuExtender icon in the system tray and select Log to open a notepad file of the ZyWALL SecuExtender’s log. ZyWALL 110/310/1100 Series User’s Guide...
Page 343: Suspend And Resume The Connection
23.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall ZyWALL SecuExtender. In the confirmation screen, click Yes. ZyWALL 110/310/1100 Series User’s Guide...
Page 344 Chapter 23 ZyWALL SecuExtender Figure 224 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender. Figure 225 ZyWALL SecuExtender Uninstallation ZyWALL 110/310/1100 Series User’s Guide...
Page 345: L2Tp Vpn
• Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. ZyWALL 110/310/1100 Series User’s Guide...
Page 346 L2TP tunnels out through a WAN trunk. • Set Incoming to Tunnel and select your L2TP VPN connection. • Set the Source Address to the L2TP address pool. • Set the Next-Hop Type to Trunk and select the appropriate WAN trunk. ZyWALL 110/310/1100 Series User’s Guide...
Page 347: L2Tp Vpn Screen
The authentication method has the ZyWALL check a user’s user name and password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. See Chapter 32 on page 409 for how to create authentication method objects. ZyWALL 110/310/1100 Series User’s Guide...
Page 348 Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways. Apply Click Apply to save your changes in the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 349: Chapter 25 Bandwidth Management
In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. ZyWALL 110/310/1100 Series User’s Guide...
Page 350 200 kbps of traffic. • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1. ZyWALL 110/310/1100 Series User’s Guide...
Page 351 DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. ZyWALL 110/310/1100 Series User’s Guide...
Page 352 200 kbps plus 250 kbps for a total of 450 kbps. Table 125 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 550 kbps 200 kbps 450 kbps ZyWALL 110/310/1100 Series User’s Guide...
Page 353: The Bandwidth Management Screen
ZyWALL checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy. Configuration > Bandwidth Management Figure 232 ZyWALL 110/310/1100 Series User’s Guide...
Page 354 Obj and the service name displays if you selected Service Object for the service type. A Service Object is a customized pre-defined service or another service. Mouse over the service object name to view the corresponding IP protocol number. ZyWALL 110/310/1100 Series User’s Guide...
Page 355: The Bandwidth Management Add/Edit Screen
To access this screen, go to the Configuration > Bandwidth Management screen (see Section 25.2 on page 353), and click either the Add icon or an Edit icon. Figure 233 Configuration > Bandwidth Management > Edit (For the Default Policy) ZyWALL 110/310/1100 Series User’s Guide...
Page 356 (see Chapter 30 on page 396 for details). Otherwise, select none to make the policy always effective. Incoming Interface Select the source interface of the traffic to which this policy applies. ZyWALL 110/310/1100 Series User’s Guide...
Page 357 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL 110/310/1100 Series User’s Guide...
Page 358 (no) when any traffic matches this policy. See Chapter 38 on page 485 more on logs. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 359: Chapter 26 Device Ha
ZyWALL for management whether the ZyWALL is the master or a backup. The management IP address should be in the same subnet as the interface IP address. Synchronization Use synchronization to have a backup ZyWALL copy the master ZyWALL’s configuration, and certificates. ZyWALL 110/310/1100 Series User’s Guide...
Page 360: Before You Begin
These are the names of the interfaces that are monitored by device HA. Virtual Router IP This is the interface’s IP address and subnet mask. Whichever ZyWALL is the master uses / Netmask this virtual router IP address and subnet mask. ZyWALL 110/310/1100 Series User’s Guide...
Page 361: The Active-Passive Mode Screen
You can have multiple ZyWALL virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, ZyWALLs A and B form a virtual router that uses cluster ID 1. ZyWALLs C and D form a virtual router that uses cluster ID 2. ZyWALL 110/310/1100 Series User’s Guide...
Page 362 IP address. ZyWALL A keeps it’s LAN management IP address of 192.168.1.5 and ZyWALL B has its own LAN management IP address of 192.168.1.6. These do not change when ZyWALL B becomes the master. Figure 239 Management IP Addresses 192.168.1.1 192.168.1.5 192.168.1.1 192.168.1.6 ZyWALL 110/310/1100 Series User’s Guide...
Page 363: Configuring Active-Passive Mode Device Ha
This table shows the status of the device HA settings and status of the ZyWALL’s Interface interfaces. Summary Edit Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate. ZyWALL 110/310/1100 Series User’s Guide...
Page 364 When you select Auto Synchronize, set how often the ZyWALL synchronizes with the master. Next Sync Time This appears the next time and date (in hh:mm yyyy-mm-dd format) the ZyWALL will synchronize with the master. ZyWALL 110/310/1100 Series User’s Guide...
Page 365: Configuring An Active-Passive Mode Monitored Interface
A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 240 Configuration > Device HA > Active-Passive Mode > Edit Figure 241 Configuration > Device HA > Active-Passive Mode > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 366: Device Ha Technical Reference
The first way is to activate device HA before connecting the bridge interfaces as shown in the following example. Make sure the bridge interfaces of the master ZyWALL (A) and the backup ZyWALL (B) are not connected. ZyWALL 110/310/1100 Series User’s Guide...
Page 367 HA. Br0 {ge4, ge5} Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the ZyWALLs. ZyWALL 110/310/1100 Series User’s Guide...
Page 368 Br0 {ge4, ge5} Disabled Configure a corresponding disabled bridge interface on the backup ZyWALL. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled ZyWALL 110/310/1100 Series User’s Guide...
Page 369 This usually takes two or three minutes or longer depending on the configuration complexity. The following restrictions apply with active-passive mode. • The master ZyWALL must have no inactive monitored interfaces. ZyWALL 110/310/1100 Series User’s Guide...
Page 370 Chapter 26 Device HA • The backup ZyWALL cannot be the master. This refers to the actual role at the time of synchronization, not the role setting in the configuration screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 371: Chapter 27 User/Group
Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services ext-user External user account ext-group-user External group user account ZyWALL 110/310/1100 Series User’s Guide...
Page 372 Note: You cannot put access users and admin users in the same user group. Note: You cannot put the default admin account into any user group. The sequence of members in a user group is not important. ZyWALL 110/310/1100 Series User’s Guide...
Page 373: User Summary Screen
See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with a specific user. User Name This field displays the user name of each user. ZyWALL 110/310/1100 Series User’s Guide...
Page 374: User Add/Edit Screen
• shutdown • sshd • sync • uucp • zyxel To access this screen, go to the User screen (see Section 27.2 on page 373), and click either the Add icon or an Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 375 If you want the system to use default settings, select Use Default Settings. If you Timeout Settings want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow. ZyWALL 110/310/1100 Series User’s Guide...
Page 376: User Group Summary Screen
Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group. ZyWALL 110/310/1100 Series User’s Guide...
Page 377: Group Add/Edit Screen
Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 378: The User/Group Setting Screen
You can still manually configure any user account’s authentication timeout settings. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 379 Select this check box if you want to set a limit on the number of simultaneous logons for simultaneous logins by non-admin users. If you do not select this, access access account users can login as many times as they want as long as they use different IP addresses. ZyWALL 110/310/1100 Series User’s Guide...
Page 380: Default User Authentication Timeout Settings Edit Screens
To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 27.4 on page 378), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 247 Configuration > Object > User/Group > Setting > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 381: User Aware Login Example
27.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 248 Web Configurator for Non-Admin Users ZyWALL 110/310/1100 Series User’s Guide...
Page 382: User /Group Technical Reference
Reauthentication Time. Possible Values: 1-1440 (minutes). The following examples show you how you might set up user attributes in LDAP and RADIUS servers. Figure 249 LDAP Example: Keywords for User Attributes type: admin leaseTime: 99 reauthTime: 199 ZyWALL 110/310/1100 Series User’s Guide...
Page 383 Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 39 on page 499 more information about shell scripts. ZyWALL 110/310/1100 Series User’s Guide...
Page 384: Addresses
The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. ZyWALL 110/310/1100 Series User’s Guide...
Page 385 See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with a specific address. Name This field displays the configured name of each address object. ZyWALL 110/310/1100 Series User’s Guide...
Page 386: Ipv4 Address Add/Edit Screen
Enter the subnet mask of the network that this address object represents. Use dotted decimal format. Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents. ZyWALL 110/310/1100 Series User’s Guide...
Page 387: Ipv6 Address Add/Edit Screen
(STATIC), an IPv6 StateLess Address Auto Configuration IP address (SLAAC), or is obtained from a DHCPv6 server (DHCPv6). Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 388: Address Group Summary Screen
This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. ZyWALL 110/310/1100 Series User’s Guide...
Page 389: Address Group Add/Edit Screen
Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 390: Chapter 29 Services
For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. ZyWALL 110/310/1100 Series User’s Guide...
Page 391: The Service Summary Screen
> Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 256 Configuration > Object > Service > Service ZyWALL 110/310/1100 Series User’s Guide...
Page 392: The Service Add/Edit Screen
Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 393: The Service Group Summary Screen
Select an entry and click Object References to open a screen that shows which settings References use the entry. See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with a specific service group. ZyWALL 110/310/1100 Series User’s Guide...
Page 394: The Service Group Add/Edit Screen
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Description Enter a description of the service group, if any. You can use up to 60 printable ASCII characters. ZyWALL 110/310/1100 Series User’s Guide...
Page 395 Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 396: Schedules
Recurring schedules are useful for defining the workday and off-work hours. Finding Out More • See Section 37.4 on page 445 for information about the ZyWALL’s current date and time. ZyWALL 110/310/1100 Series User’s Guide...
Page 397: The Schedule Summary Screen
This field displays the name of the schedule, which is used to refer to the schedule. Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. ZyWALL 110/310/1100 Series User’s Guide...
Page 398: The One-Time Schedule Add/Edit Screen
Specify the hour and minute when the schedule ends. • Hour - 0 - 23 • Minute - 0 - 59 Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 399: The Recurring Schedule Add/Edit Screen
Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 400: Chapter 31 Aaa Server
(or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. ZyWALL 110/310/1100 Series User’s Guide...
Page 401: Asas
The ZyWALL uses the built-in local user database to authenticate administrative users logging into the ZyWALL’s Web Configurator or network access users logging into the network through the ZyWALL. You can also use the local user database to authenticate VPN users. ZyWALL 110/310/1100 Series User’s Guide...
Page 402 A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. ZyWALL 110/310/1100 Series User’s Guide...
Page 403: Active Directory Or Ldap Server Summary
Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL 110/310/1100 Series User’s Guide...
Page 404 Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. ZyWALL 110/310/1100 Series User’s Guide...
Page 405 Use a user account from the server specified above to test if the configuration is correct. Validation Enter the account’s user name in the Username field and click Test. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 406: Radius Server Summary
Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL 110/310/1100 Series User’s Guide...
Page 407 Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 408 “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 409: Authentication Method
Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. Select Server Mode and select an authentication method object from the drop-down list box. Click OK to save the settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 410: Authentication Method Objects
This field displays a descriptive name for identification purposes. Method List This field displays the authentication method(s) for this entry. 32.2.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. Click Configuration > Object > Auth. Method. ZyWALL 110/310/1100 Series User’s Guide...
Page 411 Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. ZyWALL 110/310/1100 Series User’s Guide...
Page 412 ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 413: Certificates
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key). ZyWALL 110/310/1100 Series User’s Guide...
Page 414 The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. ZyWALL 110/310/1100 Series User’s Guide...
Page 415: Verifying A Certificate
Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 273 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL 110/310/1100 Series User’s Guide...
Page 416: The My Certificates Screen
Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 275 Configuration > Object > Certificate > My Certificates ZyWALL 110/310/1100 Series User’s Guide...
Page 417: The My Certificates Add Screen
Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL 110/310/1100 Series User’s Guide...
Page 418 You can use alphanumeric characters, the hyphen and the underscore. State, (Province) Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL 110/310/1100 Series User’s Guide...
Page 419: The My Certificates Edit Screen
Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. ZyWALL 110/310/1100 Series User’s Guide...
Page 420 The ZyWALL does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. ZyWALL 110/310/1100 Series User’s Guide...
Page 421 You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL 110/310/1100 Series User’s Guide...
Page 422: The My Certificates Import Screen
The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 278 Configuration > Object > Certificate > My Certificates > Import ZyWALL 110/310/1100 Series User’s Guide...
Page 423: The Trusted Certificates Screen
To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL 110/310/1100 Series User’s Guide...
Page 424: The Trusted Certificates Edit Screen
Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL 110/310/1100 Series User’s Guide...
Page 425 Chapter 33 Certificates Figure 280 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 426 This field displays the certificate’s identification number given by the certification authority. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). ZyWALL 110/310/1100 Series User’s Guide...
Page 427: The Trusted Certificates Import Screen
33.3.2 The Trusted Certificates Import Screen Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 428: Certificates Technical Reference
The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL 110/310/1100 Series User’s Guide...
Page 429: Isp Accounts
Select an entry and click Object References to open a screen that shows which settings References use the entry. See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with a specific entry. ZyWALL 110/310/1100 Series User’s Guide...
Page 430: Isp Account Edit
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. ZyWALL 110/310/1100 Series User’s Guide...
Page 431 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL 110/310/1100 Series User’s Guide...
Page 432: Chapter 35 Ssl Application
This is useful for troubleshooting, support, administration, and remote access to files and programs. ZyWALL 110/310/1100 Series User’s Guide...
Page 433: Example: Specifying A Web Site For Access
Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content. Click OK to save the settings. The configuration screen should look similar to the following figure. ZyWALL 110/310/1100 Series User’s Guide...
Page 434: The Ssl Application Screen
Select an entry and click Object References to open a screen that shows which settings use References the entry. See Section 7.3.2 on page 122 for an example. This field displays the index number. Name This field displays the name of the object. ZyWALL 110/310/1100 Series User’s Guide...
Page 435: Creating/Editing An Ssl Application Object
Note: If you are creating a file sharing SSL application, you must also configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. Figure 287 Configuration > Object > SSL Application > Add/Edit: Web Application ZyWALL 110/310/1100 Series User’s Guide...
Page 436 Remote users are restricted to access only files in this directory. For example, if you enter “\remote\” in this field, remote users can only access files in the “remote” directory. If a link contains a file that is not within this domain, then remote users cannot access it. ZyWALL 110/310/1100 Series User’s Guide...
Page 437 “\Tmp” share on the “my-server” computer. Click OK to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 438: Dhcpv6
See Section 7.3.2 on page 122 for an example. This field is a sequential value, and it is not associated with a specific object. Name This field displays the name of each request object. ZyWALL 110/310/1100 Series User’s Guide...
Page 439: Dhcpv6 Request Add/Edit Screen
36.3 The DHCPv6 Lease Screen The Lease screen allows you to add, edit, and remove DHCPv6 lease type objects. To access this screen, login to the Web Configurator, and click Configuration > Object > DHCPv6 > Lease. ZyWALL 110/310/1100 Series User’s Guide...
Page 440: Dhcpv6 Lease Add/Edit Screen
The Lease Add/Edit screen allows you to create a new lease object or edit an existing one. To access this screen, go to the Lease screen (see Section 36.3 on page 439), and click either the Add icon or an Edit icon. Figure 292 Configuration > DHCPv6 > Lease > Add ZyWALL 110/310/1100 Series User’s Guide...
Page 441 If you select DNS Server, NTP Server, or SIP Server as your lease type, you must Address enter the IP address of the server your selected. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 442 Chapter 36 DHCPv6 ZyWALL 110/310/1100 Series User’s Guide...
Page 443: System
ZyWALL’s Web Configurator screens. • Use the System > IPv6 screen (see Section 37.13 on page 483) to enable or disable IPv6 support on the ZyWALL. Note: See each section for related background information and term definitions. ZyWALL 110/310/1100 Series User’s Guide...
Page 444: Host Name
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. Click Configuration > System > USB Storage to open the screen as shown next. ZyWALL 110/310/1100 Series User’s Guide...
Page 445: Date And Time
To change your ZyWALL’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the ZyWALL’s time and date or have the ZyWALL get the date and time from a time server. ZyWALL 110/310/1100 Series User’s Guide...
Page 446 This field displays the last updated date from the time server or the last date configured (yyyy-mm-dd) manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. ZyWALL 110/310/1100 Series User’s Guide...
Page 447 For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 448: Pre-Defined Ntp Time Servers List
Enter the ZyWALL’s date in the New Date field. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL 110/310/1100 Series User’s Guide...
Page 449: Console Port Speed
The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the ZyWALL Web Configurator Status screen. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 450: Dns Overview
VPN, DDNS and the time server. You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 298 Configuration > System > DNS ZyWALL 110/310/1100 Series User’s Guide...
Page 451 Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL 110/310/1100 Series User’s Guide...
Page 452: Address Record
ZyWALL can send the IP address in a DNS response without having to query a DNS name server. 37.6.4 PTR Record A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name. ZyWALL 110/310/1100 Series User’s Guide...
Page 453: Adding An Address/Ptr Record
For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. 37.6.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. ZyWALL 110/310/1100 Series User’s Guide...
Page 454: Mx Record
Each host or domain can have only one MX record, that is, one domain is mapping to one host. 37.6.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. ZyWALL 110/310/1100 Series User’s Guide...
Page 455: Adding A Dns Service Control Rule
Select Accept to have the ZyWALL allow the DNS queries from the specified computer. Select Deny to have the ZyWALL reject the DNS queries from the specified computer. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving ZyWALL 110/310/1100 Series User’s Guide...
Page 456: Www Overview
(an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). ZyWALL 110/310/1100 Series User’s Guide...
Page 457: Configuring Www Service Control
ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). ZyWALL 110/310/1100 Series User’s Guide...
Page 458 The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443” as the URL. ZyWALL 110/310/1100 Series User’s Guide...
Page 459 ZyWALL (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the ZyWALL. Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. ZyWALL 110/310/1100 Series User’s Guide...
Page 460: Service Control Rules
Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 305 Configuration > System > Service Control Rule > Edit ZyWALL 110/310/1100 Series User’s Guide...
Page 461: Customizing The Www Login Page
Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 27 on page 371 for more on access user accounts. ZyWALL 110/310/1100 Series User’s Guide...
Page 462 Chapter 37 System Figure 306 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. ZyWALL 110/310/1100 Series User’s Guide...
Page 463 (last line of text) Window Background You can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. ZyWALL 110/310/1100 Series User’s Guide...
Page 464 Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL 110/310/1100 Series User’s Guide...
Page 465: Https Example
Click Technical Details if you want to verify more information about the certificate from the ZyWALL. Select I Understand the Risks and then click Add Exception to add the ZyWALL to the security exception list. Click Confirm Security Exception. ZyWALL 110/310/1100 Series User’s Guide...
Page 466 Chapter 37 System Figure 310 Security Certificate 1 (Firefox) Figure 311 Security Certificate 2 (Firefox) 37.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings: •...
Page 467 The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 37.7.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL 110/310/1100 Series User’s Guide...
Page 468 You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard. ZyWALL 110/310/1100 Series User’s Guide...
Page 469 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 316 Personal Certificate Import Wizard 2 Enter the password given to you by the CA. ZyWALL 110/310/1100 Series User’s Guide...
Page 470 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 318 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process. ZyWALL 110/310/1100 Series User’s Guide...
Page 471 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. ZyWALL 110/310/1100 Series User’s Guide...
Page 472: Ssh
In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. ZyWALL 110/310/1100 Series User’s Guide...
Page 473: How Ssh Works
After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. ZyWALL 110/310/1100 Series User’s Guide...
Page 474: Ssh Implementation On The Zywall
SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 33 on page 413 for details). Service Control This specifies from which computers you can access which ZyWALL zones. ZyWALL 110/310/1100 Series User’s Guide...
Page 475: Secure Telnet Using Ssh Examples
A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 327 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The CLI screen displays next. ZyWALL 110/310/1100 Series User’s Guide...
Page 476: Telnet
Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL 110/310/1100 Series User’s Guide...
Page 477 This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 478: Ftp
Refer to Table 185 on page 461 for details on the screen that opens. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 479: Snmp
Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. ZyWALL 110/310/1100 Series User’s Guide...
Page 480: Supported Mibs
The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect ZyWALL 110/310/1100 Series User’s Guide...
Page 481: Snmp Traps
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL 110/310/1100 Series User’s Guide...
Page 482 To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. ZyWALL 110/310/1100 Series User’s Guide...
Page 483: Language Screen
Click Configuration > System > IPv6 to open the following screen. Use this screen to enable IPv6 support for the ZyWALL’s Web Configurator screens. See the IPv6 Overview on page 106 more information about IPv6. ZyWALL 110/310/1100 Series User’s Guide...
Page 484 Interface > Ethernet, VLAN, and Bridge screens. The ZyWALL discards all IPv6 packets if you clear this check box. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 485: Log And Report
Note: Data collection may decrease the ZyWALL’s traffic throughput rate. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. ZyWALL 110/310/1100 Series User’s Guide...
Page 486 Select this check box if it is necessary to provide a user name and password to the SMTP Authentication server. User Name This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is e-mailed. ZyWALL 110/310/1100 Series User’s Guide...
Page 487: Log Setting Screens
Category Settings screen to edit what information is included in the system log, USB storage, e- mail profiles, and remote servers. 38.3.1 Log Setting Summary To access this screen, click Configuration > Log & Report > Log Setting. ZyWALL 110/310/1100 Series User’s Guide...
Page 488 Section 38.3.2 on page 489 more information. Log Category Click this button to open the Log Category Settings Edit screen. Settings Apply Click this button to save your changes (activate and deactivate logs) and make them take effect. ZyWALL 110/310/1100 Series User’s Guide...
Page 489: Edit System Log Settings
Go to the Log Settings Summary screen (see Section 38.3.1 on page 487), and click the system log Edit icon. Figure 338 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL 110/310/1100 Series User’s Guide...
Page 490 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1. enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1. ZyWALL 110/310/1100 Series User’s Guide...
Page 491: Edit Log On Usb Storage Setting
The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 38.3.1 on page 487), and click the USB storage Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 492 Chapter 38 Log and Report Figure 339 Configuration > Log & Report > Log Setting > Edit (USB Storage) ZyWALL 110/310/1100 Series User’s Guide...
Page 493: Edit Remote Server Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487), and click a remote server Edit icon. ZyWALL 110/310/1100 Series User’s Guide...
Page 494 Chapter 38 Log and Report Figure 340 Configuration > Log & Report > Log Setting > Edit (Remote Server) ZyWALL 110/310/1100 Series User’s Guide...
Page 495: Log Category Settings Screen
(for example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Settings Summary screen (see Section 38.3.1 on page 487), and click the Log Category Settings button. ZyWALL 110/310/1100 Series User’s Guide...
Page 496 This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 38.3.2 on page 489, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL 110/310/1100 Series User’s Guide...
Page 497 This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL 110/310/1100 Series User’s Guide...
Page 498 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL 110/310/1100 Series User’s Guide...
Page 499: File Manager
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL 110/310/1100 Series User’s Guide...
Page 500: Comments In Configuration Files Or Shell Scripts
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. ZyWALL 110/310/1100 Series User’s Guide...
Page 501: The Configuration File Screen
Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 502 The ZyWALL still generates a log for any errors. Figure 343 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL 110/310/1100 Series User’s Guide...
Page 503 Specify a name for the duplicate configuration file. Use up to 25 characters (including a- zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL 110/310/1100 Series User’s Guide...
Page 504 This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL 110/310/1100 Series User’s Guide...
Page 505: The Firmware Package Screen
Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! ZyWALL 110/310/1100 Series User’s Guide...
Page 506 After five minutes, log in again and check your new firmware version in the Dashboard screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. ZyWALL 110/310/1100 Series User’s Guide...
Page 507: The Shell Script Screen
Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could use multiple write commands in a long script. Figure 351 Maintenance > File Manager > Shell Script ZyWALL 110/310/1100 Series User’s Guide...
Page 508 This column displays the label that identifies a shell script file. Size This column displays the size (in KB) of a shell script file. Last Modified This column displays the date and time that the individual shell script files were last changed or saved. ZyWALL 110/310/1100 Series User’s Guide...
Page 509 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL 110/310/1100 Series User’s Guide...
Page 510: Diagnostics
The Diagnostic screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 354 Maintenance > Diagnostics ZyWALL 110/310/1100 Series User’s Guide...
Page 511: The Diagnostics Files Screen
Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. ZyWALL 110/310/1100 Series User’s Guide...
Page 512: The Packet Capture Screen
Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. Figure 356 Maintenance > Diagnostics > Packet Capture ZyWALL 110/310/1100 Series User’s Guide...
Page 513 Duration field expires. Split threshold Specify a maximum size limit in megabytes for individual packet capture files. After a packet capture file reaches this size, the ZyWALL starts another packet capture file. ZyWALL 110/310/1100 Series User’s Guide...
Page 514: The Packet Capture Files Screen
You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 357 Maintenance > Diagnostics > Packet Capture > Files ZyWALL 110/310/1100 Series User’s Guide...
Page 515: Core Dump Screen
(crashes). If you clear this option the ZyWALL only saves Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL 110/310/1100 Series User’s Guide...
Page 516: Core Dump Files Screen
USB storage device. The files are in comma separated value (csv) format. You can download them to your computer and open them in a tool like Microsoft’s Excel. ZyWALL 110/310/1100 Series User’s Guide...
Page 517 This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. ZyWALL 110/310/1100 Series User’s Guide...
Page 518: Packet Flow Explore
• select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. Note: Once a packet matches the criteria of a routing rule, the ZyWALL takes the corresponding action and does not perform any further flow checking. ZyWALL 110/310/1100 Series User’s Guide...
Page 519 Figure 362 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 363 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 364 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) ZyWALL 110/310/1100 Series User’s Guide...
Page 520 Figure 366 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 367 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 368 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL 110/310/1100 Series User’s Guide...
Page 521 This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table. Source This is the original source IP address(es). any means any IP address. Destination This is the original destination IP address(es). any means any IP address. ZyWALL 110/310/1100 Series User’s Guide...
Page 522: The Snat Status Screen
Note: Once a packet matches the criteria of an SNAT rule, the ZyWALL takes the corresponding action and does not perform any further flow checking. Figure 369 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) ZyWALL 110/310/1100 Series User’s Guide...
Page 523 This field is a sequential value, and it is not associated with any entry. NAT Rule This is the name of an activated NAT rule which uses SNAT. Source This is the original source IP address(es). ZyWALL 110/310/1100 Series User’s Guide...
Page 524 This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL 110/310/1100 Series User’s Guide...
Page 525: Chapter 42 Reboot
Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 526: Shutdown
Click the Shutdown button to shut down the ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL 110/310/1100 Series User’s Guide...
Page 527: Chapter 44 Troubleshooting
(such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP. ZyWALL 110/310/1100 Series User’s Guide...
Page 528 You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it. My rules and settings that apply to a particular interface no longer work. ZyWALL 110/310/1100 Series User’s Guide...
Page 529 The ZyWALL is not scanning some zipped files. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip. ZyWALL 110/310/1100 Series User’s Guide...
Page 530 WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate ZyWALL 110/310/1100 Series User’s Guide...
Page 531 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. ZyWALL 110/310/1100 Series User’s Guide...
Page 532 IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. I cannot get the RADIUS server to authenticate the ZyWALL‘s default admin account. ZyWALL 110/310/1100 Series User’s Guide...
Page 533 A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate. ZyWALL 110/310/1100 Series User’s Guide...
Page 534 The commands in my configuration file or shell script are not working properly. • In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. ZyWALL 110/310/1100 Series User’s Guide...
Page 535: Resetting The Zywall
ZyWALL should still be available afterwards. Use the following procedure to reset the ZyWALL to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file. Note: This procedure removes the current configuration. ZyWALL 110/310/1100 Series User’s Guide...
Page 536: Getting More Troubleshooting Help
Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 44.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL 110/310/1100 Series User’s Guide...
Page 537: Appendix A Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 538 Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one. • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. ZyWALL 110/310/1100 Series User’s Guide...
Page 539 è composta l’apparecchiatura. Lo smaltimento abusivo del prodotto da parte del detentore comporta l’applicazione delle sanzioni amministrative previste dalla normativa vigente." ROHS ZyWALL 110/310/1100 Series User’s Guide...
Page 540 Appendix A Legal Information ZyWALL 110/310/1100 Series User’s Guide...
Page 541: Index
RADIUS group and SSH see also RADIUS and Telnet access and VPN connections Access Point Name, see APN and WWW HOST access users 371, 373 RANGE custom page SUBNET forcing login types of idle timeout ZyWALL 110/310/1100 Series User’s Guide...
Page 542 CA (Certificate Authority), see certificates and routing protocols capturing packets 209, 306 card SIM SHA1 text CEF (Common Event Format) 488, 495 Authentication Header, see AH cellular authentication method objects interfaces and users ZyWALL 110/310/1100 Series User’s Guide...
Page 543 CPU usage 72, 74 Challenge Handshake Authentication Protocol current date/time 71, 445 (CHAP) and schedules CHAP (Challenge Handshake Authentication daylight savings Protocol) setting manually CHAP/PAP time server 20, 24 current user list button custom ZyWALL 110/310/1100 Series User’s Guide...
Page 544 Dynamic Host Configuration Protocol, see DHCP. addresses dynamic peers in IPSec device High Availability see device HA DynDNS DHCP 173, 444 DynDNS see also DDNS and DNS servers Dynu and domain name and interfaces client list ZyWALL 110/310/1100 Series User’s Guide...
Page 545 71, 506 IKE SA getting updated ext-user uploading 505, 506 troubleshooting uploading with FTP firmware upload troubleshooting flash usage forcing login FCC interference statement FQDN file extensions configuration files additional signaling port shell scripts ZyWALL 110/310/1100 Series User’s Guide...
Page 546 HTTPS incoming bandwidth 137, 146 and certificates ingress bandwidth 137, 146 authenticating clients interface avoiding warning messages ZyWALL 110/310/1100 Series User’s Guide...
Page 547 Internet Protocol version 6, see IPv6 transport encapsulation IP policy routing, see policy routes tunnel encapsulation IP pool VPN gateway IP protocols IPSec SA and service objects active protocol ICMP, see ICMP and firewall 267, 532 ZyWALL 110/310/1100 Series User’s Guide...
Page 548 CHAP port 404, 407 CHAP/PAP search time limit MPPE MSCHAP user attributes MSCHAP-V2 least connection algorithm least load algorithm ISP accounts least load first load balancing and PPPoE/PPTP interfaces 126, 429 LED troubleshooting authentication type ZyWALL 110/310/1100 Series User’s Guide...
Page 549 ALG 233, 235 and firewall and interfaces and policy routes 188, 195 MAC address and to-ZyWALL firewall and VLAN and VoIP pass through Ethernet interface and VPN range loopback management access port forwarding, see NAT ZyWALL 110/310/1100 Series User’s Guide...
Page 550 Perfect Forward Secrecy (PFS) authentication method Diffie-Hellman key group autonomous system (AS) Personal Identification Number code, see PIN code backbone PFS (Perfect Forward Secrecy) configuration steps 290, 311 direction physical ports link cost packet statistics 80, 81 ZyWALL 110/310/1100 Series User’s Guide...
Page 551 IPSec PPPoE/PPTP interfaces Remote Authentication Dial-In User Service, see 104, 125 RADIUS and ISP accounts 126, 429 basic characteristics remote desktop connections gateway Remote Desktop Protocol subnet mask see RDP PPTP remote management ZyWALL 110/310/1100 Series User’s Guide...
Page 552 OSPF Session Initiation Protocol, see SIP Rivest, Shamir and Adleman public-key algorithm (RSA) session limits 267, 273 round robin session monitor (L2TP VPN) routing sessions troubleshooting sessions usage 72, 75 ZyWALL 110/310/1100 Series User’s Guide...
Page 553 432, 435 Source Network Address Translation, see SNAT web-based example spillover (for load balancing) SSL policy and address groups edit and address objects objects used and certificates SSL VPN and zones access policy client requirements ZyWALL 110/310/1100 Series User’s Guide...
Page 554 71, 444 DDNS system reports, see reports device access system uptime ext-user system-default.conf firewall firmware upload HTTP redirect interface Internet access 527, 532 IPSec VPN LEDs connections logo port numbers logs ZyWALL 110/310/1100 Series User’s Guide...
Page 555 379, 381 flash default reauthentication time 379, 381 memory 72, 75 default type for Ext-User onboard flash ext-group-user (type) sessions 72, 75 Ext-User (type) user authentication ext-user (type) external groups, see user groups ZyWALL 110/310/1100 Series User’s Guide...
Page 556 Windows Internet Naming Service, see WINS and the firewall Windows Internet Naming Service, see WINS. basic troubleshooting Windows Remote Desktop hub-and-spoke, see VPN concentrator WINS 120, 157, 169, 174, 321 IKE SA, see IKE SA in L2TP VPN IPSec ZyWALL 110/310/1100 Series User’s Guide...
Page 557 HTTP, HTTPS zipped files troubleshooting zones and firewall 265, 271 and FTP and interfaces and SNMP and SSH and Telnet and VPN and WWW extra-zone traffic inter-zone traffic intra-zone traffic types of traffic ZyWALL 110/310/1100 Series User’s Guide...
Page 558 Index ZyWALL 110/310/1100 Series User’s Guide...
Page 559 Index ZyWALL 110/310/1100 Series User’s Guide...
Page 560 Index ZyWALL 110/310/1100 Series User’s Guide...
Page 561 Index ZyWALL 110/310/1100 Series User’s Guide...
Page 562 Index ZyWALL 110/310/1100 Series User’s Guide...

This manual is also suitable for:

Zywall 1100 series Zywall 110 series Zywall 310 series