Page 1 ZyWALL 70 Internet Security Appliance User’s Guide Version 3.64 3/2005...
Page 4: Federal Communications Commission (Fcc) Interference Statement
ZyWALL 70 User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5: Safety Warnings
ZyWALL 70 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device.
Page 6: Zyxel Limited Warranty
ZyWALL 70 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During...
Page 7: Customer Support
ZyWALL 70 User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 8 ZyWALL 70 User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION technical@zyxel.co.uk +44 (0) 8702 909090 www.zyxel.co.uk ZyXEL Communications UK Ltd.,11, The Courtyard, sales@zyxel.co.uk +44 (0) 8702 909091 ftp.zyxel.co.uk UNITED KINGDOM Eastern Road, Bracknell,...
Page 9: Table Of Contents
List of Tables ......................39 Preface ........................47 Chapter 1 Getting to Know Your ZyWALL ................49 1.1 ZyWALL 70 Internet Security Appliance Overview ..........49 1.2 Physical Features ....................49 1.2.1 Non-Physical Features ................51 1.3 Applications for the ZyWALL ................56 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem ....56 1.3.2 VPN Application ..................56...
Page 10 ZyWALL 70 User’s Guide 2.4.5 DHCP Table Screen .................71 2.4.6 VPN Status ....................72 Chapter 3 Wizard Setup ......................75 3.1 Wizard Setup Overview ..................75 3.2 Internet Access ....................75 3.2.1 ISP Parameters ..................75 3.2.1.1 Ethernet ...................75 3.2.1.2 PPPoE Encapsulation ..............77 3.2.1.3 PPTP Encapsulation ...............78 3.2.2 Internet Access Wizard Setup Complete ..........80...
Page 11 ZyWALL 70 User’s Guide Chapter 6 Wireless LAN ......................109 6.1 Introduction ......................109 6.1.1 Additional Installation Requirements for Using 802.1x ......109 6.2 Wireless Security .....................109 6.3 Security Parameters Summary ................110 6.4 WEP Encryption ....................111 6.5 802.1x Overview ....................111 6.6 Dynamic WEP Key Exchange ................
Page 12 ZyWALL 70 User’s Guide 7.7.2 Weighted Round Robin ................139 7.7.3 Spillover ....................140 7.7.3.1 WAN IP Address Assignment ............141 7.7.3.2 DNS Server Address Assignment ..........142 7.7.3.3 WAN MAC Address ...............142 7.8 Configuring WAN Setup ...................143 7.8.1 Ethernet Encapsulation ................143 7.8.2 PPPoE Encapsulation ................146 7.8.3 PPTP Encapsulation ................150...
Page 13 ZyWALL 70 User’s Guide 9.5.3 TCP Security ...................175 9.5.4 UDP/ICMP Security ................176 9.5.5 Upper Layer Protocols ................176 9.6 Guidelines For Enhancing Security With Your Firewall ........177 9.7 Packet Filtering Vs Firewall ................177 9.7.1 Packet Filtering: ..................177 9.7.1.1 When To Use Filtering ..............177 9.7.2 Firewall ....................178...
Page 14 ZyWALL 70 User’s Guide 11.1.3 Customize Web Site Access ..............201 11.2 General Content Filter Configuration ..............201 11.3 Content Filtering with an External Database ..........204 11.4 Categories and Registering ................204 11.5 Customization ....................211 11.6 Customizing Keyword Blocking URL Checking ..........214 11.6.1 Domain Name or IP Address URL Checking ........214 11.6.2 Full Path URL Checking ................214...
Page 15 ZyWALL 70 User’s Guide 13.4 IPSec and NAT ....................232 Chapter 14 VPN Screens......................235 14.1 VPN/IPSec Overview ..................235 14.2 IPSec Algorithms ....................235 14.2.1 AH (Authentication Header) Protocol ............235 14.2.2 ESP (Encapsulating Security Payload) Protocol ........235 14.3 My ZyWALL ....................236 14.4 Remote Gateway Address ................236 14.4.1 Dynamic Remote Gateway Address .............237...
Page 16 ZyWALL 70 User’s Guide 15.2 Self-signed Certificates ..................268 15.3 Configuration Summary .................268 15.4 My Certificates ....................269 15.5 Certificate File Formats ..................270 15.6 Importing a Certificate ..................271 15.7 Creating a Certificate ..................272 15.8 My Certificate Details ..................274 15.9 Trusted CAs ....................277 15.10 Importing a Trusted CA’s Certificate .............279...
Page 17 ZyWALL 70 User’s Guide 17.5.3 Configuring Servers Behind Port Forwarding (Example) ......307 17.5.4 NAT and Multiple WAN .................308 17.5.5 Port Translation ..................308 17.6 Configuring Port Forwarding ................309 17.7 Configuring Trigger Port .................311 Chapter 18 Static Route ......................315 18.1 Static Route Overview ..................315 18.2 Configuring IP Static Route ................315...
Page 18 ZyWALL 70 User’s Guide 20.11.2 Bandwidth Management Statistics ............337 20.12 Configuring Monitor ..................338 Chapter 21 DNS........................341 21.1 DNS Overview ....................341 21.2 DNS Server Address Assignment ..............341 21.3 DNS Servers ....................341 21.4 Address Record .....................342 21.4.1 DNS Wildcard ..................342 21.5 Name Server Record ..................342 21.5.1 Private DNS Server ................342...
Page 19 ZyWALL 70 User’s Guide 22.9.2 Example 2: Linux ..................365 22.10 Secure FTP Using SSH Example ..............366 22.11 Telnet ......................367 22.12 Configuring TELNET ..................367 22.13 Configuring FTP ...................368 22.14 Configuring SNMP ..................369 22.14.1 Supported MIBs .................371 22.14.2 SNMP Traps ..................371 22.14.3 REMOTE MANAGEMENT: SNMP ............371 22.15 Configuring DNS ..................373...
Page 20 ZyWALL 70 User’s Guide 25.2 General Setup ....................397 25.2.1 General Setup and System Name ............397 25.2.2 Domain Name ..................397 25.3 Configuring Password ..................398 25.4 Pre-defined NTP Time Servers List ..............399 25.5 Configuring Time and Date ................400 25.5.1 Resetting the Time ................402 25.5.2 Time Server Synchronization ..............402...
Page 21 ZyWALL 70 User’s Guide 28.5 Advanced WAN Setup ..................431 28.6 Remote Node Profile (Backup ISP) ..............433 28.7 Editing PPP Options ..................435 28.8 Editing TCP/IP Options ..................435 28.9 Editing Login Script ..................437 28.10 Remote Node Filter ..................439 Chapter 29 LAN Setup......................441 29.1 Introduction to LAN Setup ................441...
Page 22 ZyWALL 70 User’s Guide 33.2 Remote Node Setup ..................461 33.3 Remote Node Profile Setup ................461 33.3.1 Ethernet Encapsulation .................462 33.3.2 PPPoE Encapsulation ................463 33.3.2.1 Outgoing Authentication Protocol ..........464 33.3.2.2 Nailed-Up Connection ..............464 33.3.2.3 Metric ..................464 33.3.3 PPTP Encapsulation ................465 33.4 Edit IP ......................466 33.5 Remote Node Filter ..................468...
Page 23 ZyWALL 70 User’s Guide 37.2 Configuring a Filter Set ..................498 37.2.1 Configuring a Filter Rule ...............499 37.2.2 Configuring a TCP/IP Filter Rule ............500 37.2.3 Configuring a Generic Filter Rule ............502 37.3 Example Filter ....................504 37.4 Filter Types and NAT ..................506 37.5 Firewall Versus Filters ..................506...
Page 24 ZyWALL 70 User’s Guide 40.3.8 GUI-based TFTP Clients ..............528 40.3.9 Backup Via Console Port ..............528 40.4 Restore Configuration ..................529 40.4.1 Restore Using FTP ................529 40.4.2 Restore Using FTP Session Example ..........531 40.4.3 Restore Via Console Port ..............531 40.5 Uploading Firmware and Configuration Files ..........532 40.5.1 Firmware File Upload ................532...
Page 25 ZyWALL 70 User’s Guide Chapter 44 Call Scheduling ....................559 44.1 Introduction to Call Scheduling ..............559 Chapter 45 Troubleshooting ....................563 45.1 Problems Starting Up the ZyWALL ..............563 45.2 Problems with the LAN Interface ..............563 45.3 Problems with the DMZ Interface ..............564 45.4 Problems with the WAN Interface ..............565...
Page 26 ZyWALL 70 User’s Guide Importing Certificates ..................645 Appendix L Command Interpreter................... 657 Appendix M Firewall Commands ..................... 659 Appendix N NetBIOS Filter Commands .................. 665 Appendix O Certificates Commands ..................669 Appendix P Brute-Force Password Guessing Protection............. 673 Appendix Q Boot Commands ....................
Page 27: List Of Figures
ZyWALL 70 User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........ 56 Figure 2 VPN Application ....................57 Figure 3 ZyWALL Front Panel ..................... 57 Figure 4 Change Password Screen ..................60 Figure 5 Replace Certificate Screen ...................
Page 28 ZyWALL 70 User’s Guide Figure 39 Wireless: No Access 802.1x + Static WEP ............126 Figure 40 MAC Address Filter ..................... 128 Figure 41 EAP Authentication ..................... 129 Figure 42 Least Load First Example .................. 133 Figure 43 Weighted Round Robin Algorithm Example ............134 Figure 44 Spillover Algorithm Example ................
Page 29 ZyWALL 70 User’s Guide Figure 82 Content Filter : Categories .................. 205 Figure 83 Content Filter: Customization ................212 Figure 84 Content Filter: Cache ..................215 Figure 85 myZyXEL.com Login Screen ................218 Figure 86 myZyXEL.com Account Registration ..............219 Figure 87 Account Registration Successful ................
Page 30 ZyWALL 70 User’s Guide Figure 125 My Certificate Details ..................275 Figure 126 Trusted CAs ...................... 278 Figure 127 Trusted CA Import ..................... 279 Figure 128 Trusted CA Details .................... 281 Figure 129 Trusted Remote Hosts ..................284 Figure 130 Remote Host Certificates .................. 285 Figure 131 Certificate Details .....................
Page 31 ZyWALL 70 User’s Guide Figure 168 WWW ........................ 356 Figure 169 Security Alert Dialog Box (Internet Explorer) ............ 357 Figure 170 Security Certificate 1 (Netscape) ..............358 Figure 171 Security Certificate 2 (Netscape) ..............358 Figure 172 Login Screen (Internet Explorer) ............... 360 Figure 173 Login Screen (Netscape) ..................
Page 32 ZyWALL 70 User’s Guide Figure 211 Configuration ..................... 410 Figure 212 Configuration Upload Successful ..............411 Figure 213 Network Temporarily Disconnected ..............411 Figure 214 Configuration Upload Error ................412 Figure 215 Reset Warning Message ................... 412 Figure 216 Restart Screen ....................413 Figure 217 Initial Screen .....................
Page 33 ZyWALL 70 User’s Guide Figure 254 Menu 11: Remote Node Setup ................461 Figure 255 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ......462 Figure 256 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ......464 Figure 257 Menu 11.1: Remote Node Profile for PPTP Encapsulation ....... 466 Figure 258 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation...
Page 34 ZyWALL 70 User’s Guide Figure 296 Menu 21.1.1.1: Generic Filter Rule ..............503 Figure 297 Telnet Filter Example ..................504 Figure 298 Example Filter: Menu 21.1.3.1 ................505 Figure 299 Example Filter Rules Summary: Menu 21.1.3 ..........505 Figure 300 Protocol and Device Filter Sets ................. 506 Figure 301 Filtering LAN Traffic ..................
Page 35 ZyWALL 70 User’s Guide Figure 339 Call History ......................543 Figure 340 Menu 24: System Maintenance ................ 544 Figure 341 Menu 24.10 System Maintenance: Time and Date Setting ....... 544 Figure 342 Menu 24.11 – Remote Management Control ............ 548 Figure 343 Menu 25: Sample IP Routing Policy Summary ..........
Page 36 ZyWALL 70 User’s Guide Figure 382 Example Message Exchange between Computer and an ANT ......607 Figure 383 Peer-to-Peer Communication in an Ad-hoc Network ........609 Figure 384 Basic Service Set ....................610 Figure 385 Infrastructure WLAN ..................611 Figure 386 RTS/CTS ......................612 Figure 387 EAP Authentication ...................
Page 37 ZyWALL 70 User’s Guide Figure 425 Personal Certificate Import Wizard 6 ..............654 Figure 426 Access the ZyWALL Via HTTPS ............... 654 Figure 427 SSL Client Authentication ................. 655 Figure 428 ZyWALL Secure Login Screen ................655 Figure 429 Option to Enter Debug Mode ................675 Figure 430 Boot Module Commands ..................
Page 38 ZyWALL 70 User’s Guide List of Figures...
Page 39: List Of Tables
ZyWALL 70 User’s Guide List of Tables Table 1 Front Panel LEDs ....................57 Table 2 Web Configurator HOME Screen in Router Mode ..........63 Table 3 Web Configurator HOME Screen in Bridge Mode ..........65 Table 4 Bridge and Router Mode Features Comparison ............ 66 Table 5 Screens Summary ....................
Page 40 ZyWALL 70 User’s Guide Table 39 Load Balancing: Spillover ..................141 Table 40 Private IP Address Ranges ................. 141 Table 41 Example of Network Properties for LAN Servers with Fixed IP Addresses ..142 Table 42 WAN: Ethernet Encapsulation ................144 Table 43 WAN: PPPoE Encapsulation ................
Page 41 ZyWALL 70 User’s Guide Table 82 Telecommuters Using Unique VPN Rules Example ..........265 Table 83 My Certificates ..................... 269 Table 84 My Certificate Import ................... 272 Table 85 My Certificate Create ................... 273 Table 86 My Certificate Details ................... 276 Table 87 Trusted CAs ......................
Page 42 ZyWALL 70 User’s Guide Table 125 DDNS ........................ 351 Table 126 WWW ........................ 356 Table 127 SSH ........................364 Table 128 Telnet ......................... 368 Table 129 FTP ........................369 Table 130 SNMP Traps ...................... 371 Table 131 SNMP ........................ 372 Table 132 DNS ........................
Page 43 ZyWALL 70 User’s Guide Table 168 Menu 11.3.3: Remote Node Script ..............439 Table 169 Menu 3.2: DHCP Ethernet Setup Fields ............443 Table 170 Menu 3.2: LAN TCP/IP Setup Fields ..............443 Table 171 Menu 3.2.1: IP Alias Setup ................445 Table 172 Menu 3.5: Wireless LAN Setup .................
Page 44 ZyWALL 70 User’s Guide Table 211 Menu 25.1: IP Routing Policy Setup ..............553 Table 212 Menu 25.1.1: IP Routing Policy Setup ............... 555 Table 213 Schedule Set Setup ................... 560 Table 214 Troubleshooting the Start-Up of Your ZyWALL ..........563 Table 215 Troubleshooting the LAN Interface ..............
Page 45 ZyWALL 70 User’s Guide Table 254 PPP Logs ......................681 Table 255 UPnP Logs ......................681 Table 256 Content Filtering Logs ..................681 Table 257 Attack Logs ......................682 Table 258 Remote Management Logs ................683 Table 259 Wireless Logs ....................684 Table 260 IPSec Logs ......................
Page 46 ZyWALL 70 User’s Guide List of Tables...
Page 47: Preface
Help us help you! E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
Page 48: Syntax Conventions
ZyWALL 70 User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
Page 49: Getting To Know Your Zywall
This chapter introduces the main features and applications of the ZyWALL. ZyWALL 70 Internet Security Appliance Overview The ZyWALL 70 Internet security gateway is designed for medium sized business that need the increased throughput and reliability of dual WAN ports and load balancing. The ZyWALL is loaded with security features including VPN, firewall, content filtering, and certificates.
Page 50: Dial Backup Wan
ZyWALL 70 User’s Guide The 10/100 Mbps auto-negotiating Ethernet ports allow the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Page 51: Non-Physical Features
ZyWALL 70 User’s Guide 1.2.1 Non-Physical Features Load Balancing The ZyWALL improves quality of service and maximizes bandwidth utilization by dividing traffic loads between the two WAN interfaces (or ports). Transparent Firewall Transparent firewall is also known as a bridge firewall. The ZyWALL can act as a bridge and still have the capability of filtering and inspecting the packets between a router and the LAN, or two routers.
Page 52 ZyWALL 70 User’s Guide Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.
Page 53: Wireless Lan Mac Address Filtering
ZyWALL 70 User’s Guide IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication. With the local user profile, the ZyWALL allows you to configure up 32 user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server.
Page 54: Dynamic Dns Support
ZyWALL 70 User’s Guide Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.
Page 55: Traffic Redirect
ZyWALL 70 User’s Guide Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. Port Forwarding Use this feature to forward incoming service requests to a server on your local network.
Page 56: Applications For The Zywall
ZyWALL 70 User’s Guide 1.3 Applications for the ZyWALL Here are some examples of what you can do with your ZyWALL. 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem.
Page 57: Front Panel Leds
ZyWALL 70 User’s Guide Figure 2 VPN Application 1.3.3 Front Panel LEDs Figure 3 ZyWALL Front Panel The following table describes the LEDs. Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on.
Page 58 ZyWALL 70 User’s Guide Table 1 Front Panel LEDs (continued) COLOR STATUS DESCRIPTION Green The ZyWALL is not ready or has failed. The ZyWALL is ready and running. Flashing The ZyWALL is restarting. Green The backup port is not connected.
Page 59: Introducing The Web Configurator
ZyWALL 70 User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 60: Resetting The Zywall
ZyWALL 70 User’s Guide Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
Page 61: Procedure To Use The Reset Button
ZyWALL 70 User’s Guide 2.3.1 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. 1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts.
Page 62: Navigating The Zywall Web Configurator
ZyWALL 70 User’s Guide 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. Note: Follow the instructions you see in the HOME screen or click the icon (lo The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen.
Page 63: Table 2 Web Configurator Home Screen In Router Mode
ZyWALL 70 User’s Guide Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/ firmware files. Maintenance includes General, Password, Time and Date, Device Mode, F/ W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart. The following table describes the labels in this screen.
Page 64: Bridge Mode
ZyWALL 70 User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Interface This is the port type. Port types are: WAN1, WAN2, Dial Backup, LAN, WLAN and DMZ. Click "+" to expand or "-" to collapse the LAN and DMZ IP alias drop-down lists.
Page 65: Figure 8 Web Configurator Home Screen In Bridge Mode
ZyWALL 70 User’s Guide Figure 8 Web Configurator HOME Screen in Bridge Mode The following table describes the labels not previously discussed (see Table 2 on page 63). Table 3 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Network Status IP Address This is the IP address of your ZyWALL in dotted decimal notation.
Page 66: Navigation Panel
ZyWALL 70 User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Port Status For the WAN, LAN, and DMZ ports, this displays the port speed and duplex setting. For the WAN port, it displays Down when the link is not ready or has failed. For the WLAN port, it displays Active when WLAN is enabled or Inactive when WLAN is disabled.
Page 67: Table 5 Screens Summary
ZyWALL 70 User’s Guide Table 4 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE UPnP Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 68 ZyWALL 70 User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION Customization Use this screen to customize the content filter list. VPN Rules Use this screen to configure VPN connections using IKE key (IKE) management and view the rule summary.
Page 69: System Statistics
ZyWALL 70 User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyWALL. SNMP Use this screen to configure your ZyWALL’s settings for Simple Network Management Protocol management.
Page 70: Show Statistics: Line Chart
ZyWALL 70 User’s Guide Figure 9 Home : Show Statistics The following table describes the labels in this screen. Table 6 Home: Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port This is the WAN1, WAN2, Dial Backup, LAN, DMZ or WLAN port.
Page 71: Dhcp Table Screen
ZyWALL 70 User’s Guide Figure 10 Home : Show Statistics: Line Chart The following table describes the labels in this screen. Table 7 Home: Show Statistics: Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen.
Page 72: Vpn Status
ZyWALL 70 User’s Guide Figure 11 Home : DHCP Table The following table describes the labels in this screen. Table 8 Home: DHCP Table LABEL DESCRIPTION This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above.
Page 73: Figure 12 Home : Vpn Status
ZyWALL 70 User’s Guide Figure 12 Home : VPN Status The following table describes the labels in this screen. Table 9 Home : VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy.
Page 74 ZyWALL 70 User’s Guide Chapter 2 Introducing the Web Configurator...
Page 75: Chapter 3 Wizard Setup
ZyWALL 70 User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. This chapter is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure WAN1 on the ZyWALL to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
Page 76: Figure 13 Isp Parameters : Ethernet Encapsulation
ZyWALL 70 User’s Guide Figure 13 ISP Parameters : Ethernet Encapsulation The following table describes the labels in this screen. Table 10 ISP Parameters : Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 77: Pppoe Encapsulation
ZyWALL 70 User’s Guide Table 10 ISP Parameters : Ethernet Encapsulation LABEL DESCRIPTION First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Second DNS Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not...
Page 78: Pptp Encapsulation
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 11 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection.
Page 79: Figure 15 Isp Parameters: Pptp Encapsulation
ZyWALL 70 User’s Guide Figure 15 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 12 ISP Parameters : PPTP Encapsulation ESCRIPTION LABEL ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 80: Internet Access Wizard Setup Complete
ZyWALL 70 User’s Guide Table 12 ISP Parameters : PPTP Encapsulation ESCRIPTION LABEL Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Page 81: Vpn Wizard
ZyWALL 70 User’s Guide Figure 16 Internet Access Wizard Setup Complete 3.3 VPN Wizard Use the VPN wizard screens to configure a VPN rule that use a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration.
Page 82: Figure 17 Vpn Wizard: Gateway Setting
ZyWALL 70 User’s Guide Figure 17 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 13 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 83: Network Setting
ZyWALL 70 User’s Guide 3.3.1 Network Setting Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Page 84 ZyWALL 70 User’s Guide Table 14 VPN Wizard : Network Setting LABEL DESCRIPTION Starting IP When the Local Network field is configured to Single, enter a (static) IP address on Address the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 85: Ike Tunnel Setting (Ike Phase 1)
ZyWALL 70 User’s Guide 3.3.2 IKE Tunnel Setting (IKE Phase 1) Figure 19 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 15 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 86 ZyWALL 70 User’s Guide Table 15 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 87: Ipsec Setting (Ike Phase 2)
ZyWALL 70 User’s Guide 3.3.3 IPSec Setting (IKE Phase 2) Figure 20 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 16 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not.
Page 88: Vpn Status Summary
ZyWALL 70 User’s Guide Table 16 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this (Seconds) field. The minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 89: Figure 21 Vpn Wizard: Vpn Status
ZyWALL 70 User’s Guide Figure 21 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 17 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy.
Page 90 ZyWALL 70 User’s Guide Table 17 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Active This displays whether this VPN network policy is enabled or not. Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.
Page 91: Vpn Wizard Setup Complete
ZyWALL 70 User’s Guide 3.3.5 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your ZyWALL. Figure 22 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
Page 92 ZyWALL 70 User’s Guide Chapter 3 Wizard Setup...
Page 93: Chapter 4 Lan Screens
ZyWALL 70 User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 4.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached.
Page 94: Ip Address And Subnet Mask
ZyWALL 70 User’s Guide These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 4.3.2 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Page 95: Multicast
ZyWALL 70 User’s Guide Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP- 2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets.
Page 96: Figure 23 Lan
ZyWALL 70 User’s Guide Figure 23 LAN The following table describes the labels in this screen. Table 18 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 97 ZyWALL 70 User’s Guide Table 18 LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 98: Configuring Static Dhcp
ZyWALL 70 User’s Guide Table 18 LAN (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 4.6 Configuring Static DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.
Page 99: Configuring Ip Alias
ZyWALL 70 User’s Guide Table 19 Static DHCP LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 4.7 Configuring IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 100: Figure 26 Ip Alias
ZyWALL 70 User’s Guide Figure 26 IP Alias The following table describes the labels in this screen. Table 20 IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL' in dotted decimal notation.
Page 101 ZyWALL 70 User’s Guide Table 20 IP Alias LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Chapter 4 LAN Screens...
Page 102 ZyWALL 70 User’s Guide Chapter 4 LAN Screens...
Page 103: Chapter 5 Bridge Screens
ZyWALL 70 User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 5.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers.
Page 104: Rapid Stp
ZyWALL 70 User’s Guide 5.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database.
Page 105: Stp Port States
ZyWALL 70 User’s Guide Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Page 106: Figure 28 Bridge
ZyWALL 70 User’s Guide Figure 28 Bridge The following table describes the labels in this screen. Table 23 Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 107 ZyWALL 70 User’s Guide Table 23 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest.
Page 108 ZyWALL 70 User’s Guide Chapter 5 Bridge Screens...
Page 109: Chapter 6 Wireless Lan
ZyWALL 70 User’s Guide H A P T E R Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 6.1 Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
Page 110: Security Parameters Summary
ZyWALL 70 User’s Guide Figure 29 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator.
Page 111: Wep Encryption
ZyWALL 70 User’s Guide Table 24 Wireless Security Relational Matrix (continued) AUTHENTICATION ENCRYPTION ENTER METHOD/ KEY IEEE 802.1X METHOD MANUAL KEY MANAGEMENT PROTOCOL WPA-PSK Enable WPA-PSK TKIP Enable 6.4 WEP Encryption WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods for both data encryption and wireless station authentication.
Page 112: Introduction To Wpa
ZyWALL 70 User’s Guide 6.7 Introduction to WPA Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption. 6.7.1 User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database.
Page 113: Wpa-Psk Application Example
ZyWALL 70 User’s Guide The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs an easier-to- use, consistent, single, alphanumeric password.
Page 114: Wpa With Radius Application Example
ZyWALL 70 User’s Guide Keeps track of the client’s network activity. RADIUS user is a simple package exchange in which your ZyWALL acts as a message relay between the wireless station and the network RADIUS server. 6.10 WPA with RADIUS Application Example You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret.
Page 115: Configuring Wireless Lan
ZyWALL 70 User’s Guide The Windows XP patch is a free download that adds WPA capability to Windows XP's built- in "Zero Configuration" wireless client. However, you must run Windows XP to use it. 6.12 Configuring Wireless LAN Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your...
Page 116: Table 25 Wireless: No Security
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 25 Wireless: No Security LABEL DESCRIPTION Enable The wireless LAN is turned off by default, before you enable the wireless LAN you Wireless LAN should configure some security by setting MAC filters and/or 802.1x security;...
Page 117: Static Wep
ZyWALL 70 User’s Guide Table 25 Wireless: No Security (continued) LABEL DESCRIPTION Security Choose from one of the security settings listed in the drop-down box. • No Security • Static WEP • WPA-PSK • • 802.1x + Dynamic WEP •...
Page 118: Figure 33 Wireless: Static Wep
ZyWALL 70 User’s Guide Figure 33 Wireless: Static WEP The following table describes the wireless LAN security labels in this screen. Table 26 Wireless: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized Encryption wireless stations from accessing data transmitted over the wireless network.
Page 119: Wpa-Psk
ZyWALL 70 User’s Guide 6.12.2 WPA-PSK Select WPA-PSK from the Security list. Figure 34 Wireless: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box. Table 27 Wireless: WPA-PSK LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list.
Page 120: Wpa
ZyWALL 70 User’s Guide Table 27 Wireless: WPA-PSK (continued) LABEL DESCRIPTION WPA Group Key The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK Update Timer key management) or RADIUS server (if using WPA key management) sends a new (Seconds) group key out to all clients.
Page 121: Dynamic Wep
ZyWALL 70 User’s Guide The following wireless LAN security fields become available when you select WPA in the Security drop down list-box. Table 28 Wireless: WPA LABEL DESCRIPTION Security Select WPA from the drop-down list. ReAuthentication Specify how often wireless stations have to reenter user names and passwords in Timer (Seconds) order to stay connected.
Page 122: Figure 36 Wireless: 802.1X + Dynamic Wep
ZyWALL 70 User’s Guide Figure 36 Wireless: 802.1x + Dynamic WEP The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 29 Wireless: 802.1x + Dynamic WEP LABEL...
Page 123: Static Wep
ZyWALL 70 User’s Guide 6.12.5 802.1x + Static WEP Select 802.1x + Static WEP from the Security list. Figure 37 Wireless: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box.
Page 124: No Wep
ZyWALL 70 User’s Guide Table 30 Wireless: 802.1x + Static WEP (continued) LABEL DESCRIPTION Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Page 125: Figure 38 Wireless: 802.1X + No Wep
ZyWALL 70 User’s Guide Figure 38 Wireless: 802.1x + No WEP The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 31 Wireless: 802.1x + No WEP LABEL...
Page 126: No Access 802.1X + Static Wep
ZyWALL 70 User’s Guide 6.12.7 No Access 802.1x + Static WEP Select No Access 802.1x + Static WEP to deny all wireless stations access to your wired network and allow wireless stations to communicate with the ZyWALL using static WEP keys for data encryption.
Page 127: No Access 802.1X + No Wep
ZyWALL 70 User’s Guide Table 32 Wireless: No Access 802.1x + Static WEP (continued) LABEL DESCRIPTION Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Page 128: Figure 40 Mac Address Filter
ZyWALL 70 User’s Guide Figure 40 MAC Address Filter The following table describes the labels in this menu. Table 33 MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to enable or disable MAC address filtering. Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 129: Eap Authentication Overview
ZyWALL 70 User’s Guide 6.13.1 EAP Authentication Overview EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.
Page 130 ZyWALL 70 User’s Guide Chapter 6 Wireless LAN...
Page 131: Chapter 7 Wan Screens
ZyWALL 70 User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. 7.1 WAN Overview Chapter 3 on page 75 for more information on the fields in the WAN screens. 7.2 Multiple WAN You can use a second connection for load sharing to increase overall network throughput or as a backup to enhance network reliability.
Page 132: Load Balancing Introduction
ZyWALL 70 User’s Guide 7.3 Load Balancing Introduction On the ZyWALL, load balancing is the process of dividing traffic loads between the two WAN interfaces (or ports). This allows you to improve quality of services and maximize bandwidth utilization. See also policy routing to provide quality of service by dedicating a route for a specific traffic type and bandwidth management to specify a set amount of bandwidth for a specific traffic type on an interface.
Page 133: Example 2
ZyWALL 70 User’s Guide Figure 42 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below.
Page 134: Weighted Round Robin
ZyWALL 70 User’s Guide 7.4.2 Weighted Round Robin Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.
Page 135: Tcp/Ip Priority (Metric)
ZyWALL 70 User’s Guide Figure 44 Spillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
Page 136: Figure 45 Wan General
ZyWALL 70 User’s Guide Figure 45 WAN General Chapter 7 WAN Screens...
Page 137: Table 36 Wan General
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 36 WAN General LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN port as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN port (depending on the priorities you configure in the Route Priority fields).
Page 138: Configuring Load Balancing
ZyWALL 70 User’s Guide Table 36 WAN General (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity port's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN port's default gateway IP address.
Page 139: Weighted Round Robin
ZyWALL 70 User’s Guide Figure 46 Load Balancing: Least Load First The following table describes the related fields in this screen. Table 37 Load Balancing: Least Load First LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 140: Spillover
ZyWALL 70 User’s Guide Figure 47 Load Balancing: Weighted Round Robin The following table describes the related fields in this screen. Table 38 Load Balancing: Weighted Round Robin LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 141: Wan Ip Address Assignment
ZyWALL 70 User’s Guide Figure 48 Load Balancing: Spillover The following table describes the related fields in this screen. Table 39 Load Balancing: Spillover LABEL DESCRIPTION Active/Active Select Active/Active Mode and set the related fields to enable load balancing on the Mode ZyWALL.
Page 142: Dns Server Address Assignment
ZyWALL 70 User’s Guide You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 143: Configuring Wan Setup
ZyWALL 70 User’s Guide 7.8 Configuring WAN Setup To change your ZyWALL's WAN ISP, IP and MAC settings, click WAN, then the WAN1 or WAN2 tab. The screen differs by the encapsulation. Note: The WAN1 and WAN2 IP addresses must be on different subnets.
Page 144: Figure 49 Wan: Ethernet Encapsulation
ZyWALL 70 User’s Guide Figure 49 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 42 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 145 ZyWALL 70 User’s Guide Table 42 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Type the authentication server IP address here if your ISP gave you one.
Page 146: Pppoe Encapsulation
ZyWALL 70 User’s Guide Table 42 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 147: Figure 50 Wan: Pppoe Encapsulation
ZyWALL 70 User’s Guide create and offer new IP services for individuals. Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task.
Page 148: Table 43 Wan: Pppoe Encapsulation
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 43 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Page 149 ZyWALL 70 User’s Guide Table 43 WAN: PPPoE Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.
Page 150: Pptp Encapsulation
ZyWALL 70 User’s Guide 7.8.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 151: Table 44 Wan: Pptp Encapsulation
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 44 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 152 ZyWALL 70 User’s Guide Table 44 WAN: PPTP Encapsulation LABEL DESCRIPTION Enable NAT Network Address Translation (NAT) allows the translation of an Internet protocol (Network Address address used within one network (for example a private IP address used in a local...
Page 153: Traffic Redirect
ZyWALL 70 User’s Guide 7.9 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.
Page 154: Configuring Dial Backup
ZyWALL 70 User’s Guide Figure 54 Traffic Redirect The following table describes the labels in this screen. Table 45 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 155: Figure 55 Dial Backup Setup
ZyWALL 70 User’s Guide Figure 55 Dial Backup Setup Chapter 7 WAN Screens...
Page 156: Table 46 Dial Backup Setup
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 46 Dial Backup Setup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 157 ZyWALL 70 User’s Guide Table 46 Dial Backup Setup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
Page 158: Advanced Modem Setup
ZyWALL 70 User’s Guide Table 46 Dial Backup Setup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.12 Advanced Modem Setup 7.12.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
Page 159: Figure 56 Advanced Setup
ZyWALL 70 User’s Guide Figure 56 Advanced Setup The following table describes the labels in this screen. Table 47 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 160 ZyWALL 70 User’s Guide Table 47 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 161: Chapter 8 Dmz Screens
ZyWALL 70 User’s Guide H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 8.1 DMZ Overview The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 162: Figure 57 Dmz
ZyWALL 70 User’s Guide Figure 57 DMZ The following table describes the labels in this screen. Table 48 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN and DMZ are on separate subnets.
Page 163: Configuring Ip Alias
ZyWALL 70 User’s Guide Table 48 DMZ (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Page 164: Figure 58 Dmz: Ip Alias
ZyWALL 70 User’s Guide Figure 58 DMZ: IP Alias The following table describes the labels in this screen. Table 49 DMZ: IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another DMZ network for the ZyWALL.
Page 165: Dmz Public Ip Address Example
ZyWALL 70 User’s Guide Table 49 DMZ: IP Alias (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.4 DMZ Public IP Address Example The following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN.
Page 166: Figure 60 Dmz Private And Public Address Example
ZyWALL 70 User’s Guide Configure both DMZ and DMZ IP alias to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. Figure 60 DMZ Private and Public Address Example Chapter 8 DMZ Screens...
Page 167: Chapter 9 Firewalls
ZyWALL 70 User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 9.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 168: Stateful Inspection Firewalls
ZyWALL 70 User’s Guide 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. 2 Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 169: Denial Of Service
ZyWALL 70 User’s Guide Figure 61 ZyWALL Firewall Application 9.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 170: Types Of Dos Attacks
ZyWALL 70 User’s Guide 9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
Page 171: Figure 63 Syn Flood
ZyWALL 70 User’s Guide response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake.
Page 172: Icmp Vulnerability
ZyWALL 70 User’s Guide Figure 64 Smurf Attack 9.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 51 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 9.4.2.2 Illegal Commands (NetBIOS and SMTP)
Page 173: Traceroute
ZyWALL 70 User’s Guide All SMTP commands are illegal except for those displayed in the following tables. Table 53 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY 9.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
Page 174: Stateful Inspection Process
ZyWALL 70 User’s Guide Figure 65 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 175: Stateful Inspection And The Zywall
ZyWALL 70 User’s Guide temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection. 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
Page 176: Udp/Icmp Security
ZyWALL 70 User’s Guide If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
Page 177: Guidelines For Enhancing Security With Your Firewall
ZyWALL 70 User’s Guide Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator’s Custom Services feature to do this. 9.6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web configurator.
Page 178: Firewall
ZyWALL 70 User’s Guide 9.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.
Page 179: Chapter 10 Firewall Screens
ZyWALL 70 User’s Guide H A P T E R Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 10.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.
Page 180: Rule Logic Overview
ZyWALL 70 User’s Guide This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN • DMZ to DMZ/ZyWALL This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL.
Page 181: Security Ramifications
ZyWALL 70 User’s Guide 10.3.2 Security Ramifications Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For...
Page 182: Lan To Wan Rules
ZyWALL 70 User’s Guide LAN to LAN/ZyWALL, WAN to WAN/ZyWALL and DMZ to DMZ/ZyWALL rules apply to packets coming in on the associated interface (LAN, WAN, or DMZ respectively). LAN to LAN/ZyWALL means policies for LAN-to-ZyWALL (the policies for managing the ZyWALL through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 183: Alerts
ZyWALL 70 User’s Guide Figure 67 WAN to LAN Traffic 10.5 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when a rule is matched in the Edit Rule screen (see...
Page 184: Figure 68 Default Rule (Router Mode)
ZyWALL 70 User’s Guide Figure 68 Default Rule (Router Mode) The following table describes the labels in this screen. Table 54 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 185: Figure 69 Default Rule (Bridge Mode)
ZyWALL 70 User’s Guide Figure 69 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 55 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 186: Rule Summary
ZyWALL 70 User’s Guide 10.6.1 Rule Summary Note: The ordering of your rules is very important as rules are applied in turn. Click FIREWALL, then the Rule Summary tab to open the screen. Figure 70 Rule Summary The following table describes the labels in this screen.
Page 187: Configuring Firewall Rules
ZyWALL 70 User’s Guide Table 56 Rule Summary LABEL DESCRIPTION Destination This drop-down list box displays the destination addresses or ranges of addresses to Address which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Page 188: Figure 71 Creating/Editing A Firewall Rule
ZyWALL 70 User’s Guide Figure 71 Creating/Editing A Firewall Rule Chapter 10 Firewall Screens...
Page 189: Table 57 Creating/Editing A Firewall Rule
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 57 Creating/Editing A Firewall Rule LABEL DESCRIPTION Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address?
Page 190: Configuring Custom Services
ZyWALL 70 User’s Guide Table 57 Creating/Editing A Firewall Rule LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 10.6.3 Configuring Custom Services Configure customized ports for services not predefined by the ZyWALL (see Section 10.8 on...
Page 191: Figure 73 Rule Summary
ZyWALL 70 User’s Guide 1 Click the FIREWALL link and then the Rule Summary tab. Select WAN to LAN from the Packet Direction drop-down list box. Figure 73 Rule Summary 2 In the Rule Summary screen, type the index number for where you want to put the rule.
Page 192: Figure 74 Rule Edit Example
ZyWALL 70 User’s Guide Figure 74 Rule Edit Example 6 In the Edit Rule screen, click Add under Custom Service to open the Edit Custom Service screen. Configure it as follows and click Apply. Figure 75 Edit Custom Service Example 7 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.
Page 193: Figure 76 My Service Rule Configuration
ZyWALL 70 User’s Guide Figure 76 My Service Rule Configuration Chapter 10 Firewall Screens...
Page 194: Predefined Services
ZyWALL 70 User’s Guide Figure 77 My Service Example Rule Summary Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. 10.8 Predefined Services The Available Services list box in the Edit Rule screen (see...
Page 195 ZyWALL 70 User’s Guide Table 59 Predefined Services (continued) SERVICE DESCRIPTION FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 196: Anti-Probing
ZyWALL 70 User’s Guide Table 59 Predefined Services (continued) SERVICE DESCRIPTION RTELNET(TCP:107) Remote Telnet. RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115) Simple File Transfer Protocol. SIP-V2(UDP:5060) The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Page 197: Dos Thresholds
ZyWALL 70 User’s Guide Click FIREWALL, then the Anti-Probing tab to open the screen. Figure 78 Anti-Probing The following table describes the labels in this screen. Table 60 Anti-Probing LABEL DESCRIPTION Respond to PING The ZyWALL does not respond to any incoming Ping requests when Disable is selected.
Page 198: Threshold Values
ZyWALL 70 User’s Guide 10.10.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1 The maximum number of opened sessions.
Page 199: Figure 79 Firewall Threshold
ZyWALL 70 User’s Guide Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the following methods: 1 If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host.
Page 200 ZyWALL 70 User’s Guide Table 61 Firewall Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
Page 201: Content Filtering Screens
ZyWALL 70 User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 11.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or restrict specific websites. With content filtering, you can do the following: 11.1.1 Restrict Web Features...
Page 202: Figure 80 Content Filter : General
ZyWALL 70 User’s Guide Figure 80 Content Filter : General The following table describes the labels in this screen. Table 62 Content Filter : General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter.
Page 203 ZyWALL 70 User’s Guide Table 62 Content Filter : General LABEL DESCRIPTION Cookies Cookies are files stored on a computer’s hard drive. Some web servers use them to track usage and provide service based on ID. Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service.
Page 204: Content Filtering With An External Database
ZyWALL 70 User’s Guide 11.3 Content Filtering with an External Database When you register for and enable external database content filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.
Page 205: Figure 82 Content Filter : Categories
ZyWALL 70 User’s Guide Figure 82 Content Filter : Categories The following table describes the labels in this screen. Table 63 Content Filter: Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an...
Page 206 ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web...
Page 207 ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 208 ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 209 ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 210 ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
Page 211: Customization
ZyWALL 70 User’s Guide Table 63 Content Filter: Categories (continued) LABEL DESCRIPTION Register Click Register to go to a web site where you can register for category- based content filtering (using an external database). You can use a trial application or register your iCard’s PIN. Refer to the web site’s on-line help for details.
Page 212: Figure 83 Content Filter: Customization
ZyWALL 70 User’s Guide Figure 83 Content Filter: Customization The following table describes the labels in this screen. Table 64 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
Page 213 ZyWALL 70 User’s Guide Table 64 Content Filter: Customization (continued) LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries.
Page 214: Customizing Keyword Blocking Url Checking
ZyWALL 70 User’s Guide 11.6 Customizing Keyword Blocking URL Checking You can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.
Page 215: Content Filtering Cache
ZyWALL 70 User’s Guide 11.7 Content Filtering Cache To view and configure your ZyWALL’s URL caching, click CONTENT FILTER, then the Cache tab. The screen appears as shown. You can use this screen to configure how long a categorized web site address remains in the cache as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server.
Page 216 ZyWALL 70 User’s Guide Table 65 Content Filter: Cache (continued) LABEL DESCRIPTION Refresh Click this button to reload the cache. This is the index number of a categorized web site address record. Action This field shows whether access to the web site’s URL was blocked or allowed.
Page 217: Content Filtering Registration And Reports
ZyWALL 70 User’s Guide H A P T E R Content Filtering Registration and Reports This chapter describes how to register for content filtering and view content filtering reports. Before you activate content filtering, you must create an account at myZyXEL.com and register your device.
Page 218: A Note On Myzyxel.com Numbers
ZyWALL 70 User’s Guide 12.1.1 A Note on myZyXEL.com Numbers You need the following (unique) numbers to register and activate device-specific feature(s). Table 66 myZyXEL.com Numbers TYPES DESCRIPTION Serial Number You need the serial number to register your ZyXEL device. Locate the serial number on your ZyXEL device.
Page 219: Figure 86 Myzyxel.com Account Registration
ZyWALL 70 User’s Guide Figure 86 myZyXEL.com Account Registration 4 A screen appears indicating you have created an account at myZyXEL.com. Figure 87 Account Registration Successful 5 You will receive a confirmation e-mail. Click the URL in the e-mail to activate your account.
Page 220: Registering Your Zyxel Device
ZyWALL 70 User’s Guide Figure 88 Account Confirmation E-Mail 6 Click Continue to go to the myZyXEL.com login screen. Figure 89 myZyXEL.com Account Activation 12.3 Registering Your ZyXEL Device 1 After you have created a myZyXEL.com account, log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen.
Page 221: Figure 90 Logged Into Myzyxel.com
ZyWALL 70 User’s Guide Figure 90 Logged Into myZyXEL.com Click here to register a new product. 2 Click Add in the next screen. Figure 91 Product Registration 3 The Add New Product screen displays. Enter the product serial number in the Serial Number field.
Page 222: Figure 92 Add New Product
ZyWALL 70 User’s Guide Figure 92 Add New Product Your ZyXEL device MAC address may already be entered here. 8 Specify the purchase information and click Continue. Figure 93 Product Survey 9 Click Continue again. 10After you have registered your ZyXEL device, you can view its registration details in the screen shown next.
Page 223: Content Filtering Registration
ZyWALL 70 User’s Guide Figure 94 Service Management 12.4 Content Filtering Registration 1 In your ZyXEL device’s web configurator, click CONTENT FILTER, Categories and then the Register button. The following screen opens. 2 Enter the user name and password from your myZyXEL.com account (see...
Page 224: Figure 96 Myzyxel.com: Service Management
ZyWALL 70 User’s Guide Figure 96 myZyXEL.com: Service Management. 6 Enter the PIN code exactly as shown on your iCard (you do not enter a PIN if you are registering for the trial period) in the License Key (PIN code) field.
Page 225: Checking Content Filtering Activation
ZyWALL 70 User’s Guide Figure 98 Service Registration: Successful Figure 99 Service Management: Service Registered 9 You can go on to update your product registration information, view content filtering reports or click LOGOUT at any time to exit myZyXEL.com. 12.5 Checking Content Filtering Activation After you register for content filtering, the web site displays a registration successful web page.
Page 226: Updating Product Registration Information
ZyWALL 70 User’s Guide 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button. When content filtering is active, you should see an access blocked or access forwarded message.
Page 227: Figure 100 Cerberian Login Screen
ZyWALL 70 User’s Guide Figure 100 Cerberian Login Screen 2 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Type the password that you configured during account registration at myZyXEL.com. 3 Click Reports. Figure 101 Content Filtering Reports Main Screen Note: The ZyWALL does not support Single User Reports at the time of writing.
Page 228: Configuration File
ZyWALL 70 User’s Guide Figure 102 Global Report Screen Example 6 Click a category to see the URLs that were requested. Figure 103 Requested URLs Example 12.8 Configuration File If you restore the ZyWALL to the default rom file or upload a different rom file after you...
Page 229: Chapter 13 Introduction To Ipsec
ZyWALL 70 User’s Guide H A P T E R Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 230: Data Confidentiality
ZyWALL 70 User’s Guide Figure 104 Encryption and Decryption 13.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 13.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 231: Ipsec Architecture
ZyWALL 70 User’s Guide 13.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 105 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 232: Transport Mode
ZyWALL 70 User’s Guide Figure 106 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 233: Table 67 Vpn And Nat
ZyWALL 70 User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
Page 234 ZyWALL 70 User’s Guide Chapter 13 Introduction to IPSec...
Page 235: Chapter 14 Vpn Screens
ZyWALL 70 User’s Guide H A P T E R VPN Screens This chapter introduces the VPN Web Configurator. See Chapter 24 on page 387 information on viewing logs and Appendix R on page 677 for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 236: My Zywall
ZyWALL 70 User’s Guide Table 68 ESP and AH Encryption DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data. 3DES...
Page 237: Dynamic Remote Gateway Address
ZyWALL 70 User’s Guide You can also enter a remote secure gateway’s domain name in the Remote Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 238: Nat Traversal Configuration
ZyWALL 70 User’s Guide Figure 107 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN.
Page 239: Id Type And Content Examples
ZyWALL 70 User’s Guide between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see Section 14.12.2 on page 251). The ID type and content act as an extra level of identification for incoming SAs.
Page 240: Ike Phases
ZyWALL 70 User’s Guide Table 71 Matching ID Type and Content Configuration Example ZYWALL A ZYWALL B Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail.
Page 241: Negotiation Mode
ZyWALL 70 User’s Guide • Choose an authentication algorithm. • Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). • Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires.
Page 242: Diffie-Hellman (Dh) Key Groups
ZyWALL 70 User’s Guide 14.8.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –...
Page 243: Icons Key
ZyWALL 70 User’s Guide 14.10 Icons Key The following table describes the icons used in the VPN screens. Table 73 VPN screen Icons Key ICON DESCRIPTION This represents your ZyWALL. This represents the remote secure gateway. This represents the local network.
Page 244: Ike Vpn Rule Summary Screen
ZyWALL 70 User’s Guide Figure 109 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 110 IPSec Fields Summary Note: Local and remote network IP addresses must be static. 14.12 IKE VPN Rule Summary Screen Click VPN to display the VPN Rules (IKE) screen.
Page 245: Configuring An Ike Gateway Policy
ZyWALL 70 User’s Guide Figure 111 VPN Rules (IKE) Note: The Recycle Bin gateway policy is a virtual placeholder for any network policy(ies) without an associated gateway policy. When there is a network policy in the Recycle Bin, the Recycle Bin gateway policy automatically displays in this screen.
Page 246: Figure 112 Vpn Rules (Ike): Gateway Policy: Edit
ZyWALL 70 User’s Guide Figure 112 VPN Rules (IKE): Gateway Policy: Edit Chapter 14 VPN Screens...
Page 247: Table 74 Vpn Rules (Ike): Gateway Policy: Edit
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 74 VPN Rules (IKE): Gateway Policy: Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 248 ZyWALL 70 User’s Guide Table 74 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select the Pre-Shared Key radio button and type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation.
Page 249 ZyWALL 70 User’s Guide Table 74 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Key to Pre-shared Key. •...
Page 250 ZyWALL 70 User’s Guide Table 74 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION User Name Enter a user name for your ZyWALL to be authenticated by the VPN peer (in server mode). The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
Page 251: Configuring An Ike Network Policy
ZyWALL 70 User’s Guide Table 74 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 14.12.2 Configuring an IKE Network Policy...
Page 252: Figure 113 Vpn Rules (Ike): Network Policy Edit
ZyWALL 70 User’s Guide Figure 113 VPN Rules (IKE): Network Policy Edit Chapter 14 VPN Screens...
Page 253: Table 75 Vpn Rules (Ike): Network Policy Edit
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 75 VPN Rules (IKE): Network Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 254 ZyWALL 70 User’s Guide Table 75 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 255: Associating A Network Policy To A Gateway Policy
ZyWALL 70 User’s Guide Table 75 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Page 256: Manual Vpn Rule Summary Screen
ZyWALL 70 User’s Guide Figure 114 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 76 VPN Rules (IKE): Network Policy Move LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy.
Page 257: Figure 115 Vpn Rule (Manual)
ZyWALL 70 User’s Guide Refer to Table 73 on page 243 for descriptions of the icons used in this screen. Figure 115 VPN Rule (Manual) The following table describes the labels in this screen. Table 77 VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number.
Page 258: Editing Manual Vpn Rules
ZyWALL 70 User’s Guide Table 77 VPN Rules (Manual) (continued) LABEL DESCRIPTION Remote Gateway This is the static WAN IP address or domain name of the remote IPSec router. Address Modify Click the edit icon to edit the VPN policy.
Page 259: Figure 116 Vpn Rules (Manual): Edit
ZyWALL 70 User’s Guide Figure 116 VPN Rules (Manual): Edit The following table describes the labels in this screen. Table 78 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 260 ZyWALL 70 User’s Guide Table 78 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same.
Page 261 ZyWALL 70 User’s Guide Table 78 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION My ZyWALL Enter the WAN IP address or domain name of your ZyWALL or leave the field set to 0.0.0.0. The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup.
Page 262: Viewing Sa Monitor
ZyWALL 70 User’s Guide Table 78 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 14.14 Viewing SA Monitor In the web configurator, click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections.
Page 263: Configuring Global Setting
ZyWALL 70 User’s Guide 14.15 Configuring Global Setting To change your ZyWALL’s global settings, click VPN, then the Global Setting tab. The screen appears as shown. Figure 118 VPN: Global Setting The following table describes the labels in this screen.
Page 264: Telecommuter Vpn/Ipsec Examples
ZyWALL 70 User’s Guide 14.16 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address.
Page 265: Figure 120 Telecommuters Using Unique Vpn Rules Example
ZyWALL 70 User’s Guide With aggressive negotiation mode (see Section 14.8.1 on page 241), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters.
Page 266: Vpn And Remote Management
ZyWALL 70 User’s Guide Table 82 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Telecommuter B (telecommuterb.dydns.org) Headquarters [Product Name (short)] Rule 2: Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Remote Gateway Address: telecommuterb.dydns.org...
Page 267: Chapter 15 Certificates
ZyWALL 70 User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 268: Advantages Of Certificates
ZyWALL 70 User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 269: My Certificates
ZyWALL 70 User’s Guide 15.4 My Certificates Click CERTIFICATES, My Certificates to open the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. See the following figure. Figure 122 My Certificates The following table describes the labels in this screen.
Page 270: Certificate File Formats
ZyWALL 70 User’s Guide Table 83 My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
Page 271: Importing A Certificate
ZyWALL 70 User’s Guide • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
Page 272: Creating A Certificate
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 84 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 273: Table 85 My Certificate Create
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 85 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Page 274: My Certificate Details
ZyWALL 70 User’s Guide Table 85 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.
Page 275: Figure 125 My Certificate Details
ZyWALL 70 User’s Guide Figure 125 My Certificate Details Chapter 15 Certificates...
Page 276: Table 86 My Certificate Details
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 86 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 277: Trusted Cas
ZyWALL 70 User’s Guide Table 86 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 278: Figure 126 Trusted Cas
ZyWALL 70 User’s Guide Figure 126 Trusted CAs The following table describes the labels in this screen. Table 87 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 279: Importing A Trusted Ca's Certificate
ZyWALL 70 User’s Guide Table 87 Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority.
Page 280: Trusted Ca Certificate Details
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 88 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 281: Figure 128 Trusted Ca Details
ZyWALL 70 User’s Guide Figure 128 Trusted CA Details The following table describes the labels in this screen. Table 89 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 282 ZyWALL 70 User’s Guide Table 89 Trusted CA Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 283: Trusted Remote Hosts
ZyWALL 70 User’s Guide Table 89 Trusted CA Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 284: Figure 129 Trusted Remote Hosts
ZyWALL 70 User’s Guide Figure 129 Trusted Remote Hosts The following table describes the labels in this screen. Table 90 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 285: Verifying A Trusted Remote Host's Certificate
ZyWALL 70 User’s Guide Table 90 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
Page 286: Importing A Trusted Remote Host's Certificate
ZyWALL 70 User’s Guide Figure 131 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 15.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
Page 287: Trusted Remote Host Certificate Details
ZyWALL 70 User’s Guide Figure 132 Trusted Remote Host Import The following table describes the labels in this screen. Table 91 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 288: Figure 133 Trusted Remote Host Details
ZyWALL 70 User’s Guide Figure 133 Trusted Remote Host Details The following table describes the labels in this screen. Table 92 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 289 ZyWALL 70 User’s Guide Table 92 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate.
Page 290: Directory Servers
ZyWALL 70 User’s Guide Table 92 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 291: Add Or Edit A Directory Server
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 93 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached.
Page 292: Table 94 Directory Server Add
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 94 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Page 293: Authentication Server
ZyWALL 70 User’s Guide H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 294: Figure 136 Local User Database
ZyWALL 70 User’s Guide Figure 136 Local User Database Chapter 16 Authentication Server...
Page 295: Configuring Radius
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 95 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile.
Page 296: Table 96 Radius
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 96 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
Page 297: Network Address Translation (Nat)
ZyWALL 70 User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 298: What Nat Does
ZyWALL 70 User’s Guide 17.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 299: Nat Application
ZyWALL 70 User’s Guide Figure 138 How NAT Works 17.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 300: Port Restricted Cone Nat
ZyWALL 70 User’s Guide 17.1.5 Port Restricted Cone NAT Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the ZyWALL maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network.
Page 301: Using Nat
ZyWALL 70 User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead.
Page 302: Configuring Nat Overview
ZyWALL 70 User’s Guide 17.3 Configuring NAT Overview Click NAT to open the NAT Overview screen shown next. Figure 141 NAT Overview The following table describes the labels in this screen. Table 99 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent...
Page 303: Configuring Address Mapping
ZyWALL 70 User’s Guide Table 99 NAT Overview (continued) LABEL DESCRIPTION Enable NAT Select this check box to turn on the NAT feature for the WAN port. Clear this check box to turn off the NAT feature for the WAN port.
Page 304: Figure 142 Address Mapping
ZyWALL 70 User’s Guide Figure 142 Address Mapping The following table describes the labels in this screen. Table 100 Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
Page 305: Address Mapping Edit
ZyWALL 70 User’s Guide Table 100 Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Page 306: Port Forwarding
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 101 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address.
Page 307: Default Server Ip Address
ZyWALL 70 User’s Guide 17.5.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 308: Nat And Multiple Wan
ZyWALL 70 User’s Guide Figure 144 Multiple Servers Behind NAT Example 17.5.4 NAT and Multiple WAN The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule sets for the first WAN port and separate sets of rules for the second WAN port.
Page 309: Configuring Port Forwarding
ZyWALL 70 User’s Guide Figure 145 Port Translation Example 17.6 Configuring Port Forwarding Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 310: Figure 146 Port Forwarding
ZyWALL 70 User’s Guide Figure 146 Port Forwarding The following table describes the labels in this screen. Table 103 Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
Page 311: Configuring Trigger Port
ZyWALL 70 User’s Guide Table 103 Port Forwarding LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 312: Figure 148 Port Triggering
ZyWALL 70 User’s Guide 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 313 ZyWALL 70 User’s Guide Table 104 Port Triggering LABEL DESCRIPTION Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Page 314 ZyWALL 70 User’s Guide Chapter 17 Network Address Translation (NAT)
Page 315: Chapter 18 Static Route
ZyWALL 70 User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 18.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 316: Figure 150 Ip Static Route
ZyWALL 70 User’s Guide Note: The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. Figure 150 IP Static Route The following table describes the labels in this screen. Table 105 IP Static Route...
Page 317: Configuring A Static Route Entry
ZyWALL 70 User’s Guide 18.2.1 Configuring a Static Route Entry Select a static route index number and click Edit. The screen shown next appears. Fill in the required information for each static route. Figure 151 Edit IP Static Route The following table describes the labels in this screen.
Page 318 ZyWALL 70 User’s Guide Chapter 18 Static Route...
Page 319: Chapter 19 Policy Route
ZyWALL 70 User’s Guide H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. 19.1 Introduction to IP Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 320: Ip Routing Policy Setup
ZyWALL 70 User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 19.4 IP Routing Policy Setup Click POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown).
Page 321: Configuring The Ip Policy Route Entry
ZyWALL 70 User’s Guide Table 107 Policy Route Setup LABEL DESCRIPTION Source Address/ This is the source IP address range and/or port number range. Port Destination This is the destination IP address range and/or port number range. Address/Port Gateway Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port.
Page 322: Figure 153 Edit Ip Policy Route
ZyWALL 70 User’s Guide Figure 153 Edit IP Policy Route The following table describes the labels in this screen. Table 108 Edit IP Policy Route LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 323 ZyWALL 70 User’s Guide Table 108 Edit IP Policy Route (continued) LABEL DESCRIPTION Packet Length Type a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal.
Page 324 ZyWALL 70 User’s Guide Chapter 19 Policy Route...
Page 325: Chapter 20 Bandwidth Management
ZyWALL 70 User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 20.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.
Page 326: Proportional Bandwidth Allocation
ZyWALL 70 User’s Guide 20.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 20.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 327: Scheduler
ZyWALL 70 User’s Guide Table 109 Application and Subnet-based Bandwidth Management Example (continued) TRAFFIC TYPE FROM SUBNET A FROM SUBNET B 64 Kbps 64 Kbps E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps 20.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
Page 328: Reserving Bandwidth For Non-Bandwidth Class Traffic
ZyWALL 70 User’s Guide 20.8.1 Reserving Bandwidth for Non-Bandwidth Class Traffic Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that is not defined in a bandwidth filter. 1 Leave some of the interface’s bandwidth unbudgeted.
Page 329: Fairness-Based Allotment Of Unused And Unbudgeted Bandwidth
ZyWALL 70 User’s Guide Suppose that all of the classes except for the administration class need more bandwidth. • Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps. • The sales and marketing are first to get extra bandwidth because they have the highest priority (6).
Page 330: Bandwidth Borrowing Example
ZyWALL 70 User’s Guide The total of the bandwidth allotments for sub-classes cannot exceed the bandwidth allotment of their parent class. The ZyWALL uses the scheduler to divide a parent class’s unused bandwidth among the sub-classes. 20.9.1 Bandwidth Borrowing Example Here is an example of bandwidth management with classes configured for bandwidth borrowing.
Page 331: Configuring Summary
ZyWALL 70 User’s Guide 2 The ZyWALL assigns a parent class’s unused bandwidth to its sub-classes that have more traffic than their budgets and have bandwidth borrowing enabled. The ZyWALL gives priority to sub-classes of higher priority and treats classes of the same priority equally.
Page 332: Configuring Class Setup
ZyWALL 70 User’s Guide Table 114 Bandwidth Management: Summary (continued) LABEL DESCRIPTION Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class (see Section 20.11 on page...
Page 333: Figure 156 Bandwidth Management: Class Setup
ZyWALL 70 User’s Guide Figure 156 Bandwidth Management: Class Setup The following table describes the labels in this screen. Table 115 Bandwidth Management: Class Setup LABEL DESCRIPTION Interface Select an interface from the drop-down list box for which you wish to set up classes.
Page 334: Bandwidth Manager Class Configuration
ZyWALL 70 User’s Guide Table 115 Bandwidth Management: Class Setup (continued) LABEL DESCRIPTION Destination IP This is the destination IP address for connections to which this bandwidth Address management filter applies. Destination Port This is the destination port for connections to which this bandwidth management filter applies.
Page 335: Figure 157 Bandwidth Management: Edit Class
ZyWALL 70 User’s Guide Figure 157 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 116 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 336 ZyWALL 70 User’s Guide Table 116 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Filter Configuration Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 337: Bandwidth Management Statistics
ZyWALL 70 User’s Guide Table 116 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. Table 117 Services and Port Numbers SERVICES...
Page 338: Configuring Monitor
ZyWALL 70 User’s Guide Figure 158 Bandwidth Management: Statistics The following table describes the labels in this screen. Table 118 Bandwidth Management: Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing.
Page 339: Figure 159 Bandwidth Management: Monitor
ZyWALL 70 User’s Guide Figure 159 Bandwidth Management: Monitor The following table describes the labels in this screen. Table 119 Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
Page 340 ZyWALL 70 User’s Guide Chapter 20 Bandwidth Management...
Page 341: Chapter 21 Dns
ZyWALL 70 User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 21.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 342: Address Record
ZyWALL 70 User’s Guide 21.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel”...
Page 343: System Screen
ZyWALL 70 User’s Guide Figure 160 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
Page 344: Adding An Address Record
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 120 System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
Page 345: Inserting A Name Server Record
ZyWALL 70 User’s Guide Figure 162 System DNS: Add Address Record The following table describes the labels in this screen. Table 121 System DNS: Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.
Page 346: Figure 163 System Dns: Insert Name Server Record
ZyWALL 70 User’s Guide Figure 163 System DNS: Insert Name Server Record The following table describes the labels in this screen. Table 122 System DNS: Insert Name Server Record LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain...
Page 347: Dns Cache
ZyWALL 70 User’s Guide 21.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
Page 348: Configuring Dns Lan
ZyWALL 70 User’s Guide Table 123 DNS Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Page 349: Figure 165 Dns Lan
ZyWALL 70 User’s Guide Figure 165 DNS LAN The following table describes the labels in this screen. Table 124 DNS LAN LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address (in the Assigned by DHCP order you specify here) to the DHCP clients.
Page 350: Dynamic Dns
ZyWALL 70 User’s Guide 21.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change...
Page 351: Figure 166 Ddns
ZyWALL 70 User’s Guide Figure 166 DDNS The following table describes the labels in this screen. Table 125 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider.
Page 352 ZyWALL 70 User’s Guide Table 125 DDNS LABEL DESCRIPTION IP Address Update Select Use WAN IP Address to have the ZyWALL update the domain name Policy with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address.
Page 353: Chapter 22 Remote Management
ZyWALL 70 User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 22.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.
Page 354: Remote Management And Nat
ZyWALL 70 User’s Guide 2 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 3 You have disabled that service in one of the remote management screens.
Page 355: Configuring Www
ZyWALL 70 User’s Guide 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server).
Page 356: Figure 168 Www
ZyWALL 70 User’s Guide Figure 168 WWW The following table describes the labels in this screen. Table 126 WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 357: Https Example
ZyWALL 70 User’s Guide Table 126 WWW (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 358: Netscape Navigator Warning Messages
ZyWALL 70 User’s Guide 22.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 359: Avoiding The Browser Warning Messages
ZyWALL 70 User’s Guide 22.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 360: Figure 172 Login Screen (Internet Explorer)
ZyWALL 70 User’s Guide Figure 172 Login Screen (Internet Explorer) Figure 173 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Chapter 22 Remote Management...
Page 361: Figure 174 Replace Certificate
ZyWALL 70 User’s Guide Figure 174 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.
Page 362: Ssh Overview
ZyWALL 70 User’s Guide Figure 176 Common ZyWALL Certificate 22.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 363: Ssh Implementation On The Zywall
ZyWALL 70 User’s Guide Figure 178 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 364: Requirements For Using Ssh
ZyWALL 70 User’s Guide 22.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 22.8 Configuring SSH To change your ZyWALL’s Secure Shell settings, click REMOTE MGMT, then the SSH tab.
Page 365: Secure Telnet Using Ssh Examples
ZyWALL 70 User’s Guide 22.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide.
Page 366: Secure Ftp Using Ssh Example
ZyWALL 70 User’s Guide Figure 181 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 367: Telnet
ZyWALL 70 User’s Guide Figure 183 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of...
Page 368: Configuring Ftp
ZyWALL 70 User’s Guide Figure 185 Telnet The following table describes the labels in this screen. Table 128 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 369: Configuring Snmp
ZyWALL 70 User’s Guide Figure 186 FTP The following table describes the labels in this screen. Table 129 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 370: Figure 187 Snmp Management Model
ZyWALL 70 User’s Guide Figure 187 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 371: Supported Mibs
ZyWALL 70 User’s Guide 22.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 22.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events...
Page 372 ZyWALL 70 User’s Guide Figure 188 SNMP The following table describes the labels in this screen. Table 131 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Page 373: Configuring Dns
ZyWALL 70 User’s Guide 22.15 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 131 for more information. To change your ZyWALL’s DNS settings, click REMOTE MGMT, then the DNS tab. The screen appears as shown.
Page 374: Configuring Cnm
ZyWALL 70 User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Page 375 ZyWALL 70 User’s Guide Table 133 CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
Page 376 ZyWALL 70 User’s Guide Chapter 22 Remote Management...
Page 377: Chapter 23 Upnp
ZyWALL 70 User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 23.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 378: Upnp And Zyxel
ZyWALL 70 User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 23.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 379: Displaying Upnp Port Mapping
ZyWALL 70 User’s Guide Table 134 Configuring UPnP LABEL DESCRIPTION Enable the Universal Select this checkbox to activate UPnP. Be aware that anyone could use a Plug and Play (UPnP) UPnP application to open the web configurator's login screen without...
Page 380: Installing Upnp In Windows Example
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 135 UPnP Ports LABEL DESCRIPTION Reserve UPnP Select this check box to have the ZyWALL retain UPnP created NAT rules even NAT rules in flash after restarting. If you use UPnP and you set a port on your computer to be fixed for...
Page 381: Installing Upnp In Windows Me
ZyWALL 70 User’s Guide 23.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 382: Installing Upnp In Windows Xp
ZyWALL 70 User’s Guide 23.5.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 383: Auto-Discover Your Upnp-Enabled Network Device
ZyWALL 70 User’s Guide 23.6.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 384: Web Configurator Easy Access
ZyWALL 70 User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 385 ZyWALL 70 User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 386 ZyWALL 70 User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 23 UPnP...
Page 387: Chapter 24 Logs Screens
ZyWALL 70 User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix R on page 677 for example log message explanations. 24.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 388: Log Description Example
ZyWALL 70 User’s Guide Figure 193 View Log The following table describes the labels in this screen. Table 136 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 24.3 on page 389) display in the drop-down list box.
Page 389: Configuring Log Settings
ZyWALL 70 User’s Guide The following is an example of how a log displays in the command line interpreter and a description of the sample log. Refer to the appendices for more log message descriptions and details on using the command line interpreter to display logs.
Page 390: Figure 194 Log Settings
ZyWALL 70 User’s Guide Figure 194 Log Settings Chapter 24 Logs Screens...
Page 391: Table 138 Log Settings
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 138 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 392: Configuring Reports
ZyWALL 70 User’s Guide Table 138 Log Settings (continued) LABEL DESCRIPTION Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
Page 393: Figure 195 Reports
ZyWALL 70 User’s Guide Figure 195 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 139 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Page 394: Viewing Web Site Hits
ZyWALL 70 User’s Guide 24.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 395: Viewing Lan Ip Address
ZyWALL 70 User’s Guide Figure 197 Protocol/Port Report Example The following table describes the labels in this screen. Table 141 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 396: Reports Specifications
ZyWALL 70 User’s Guide Figure 198 LAN IP Address Report Example The following table describes the labels in this screen. Table 142 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
Page 397: Chapter 25 Maintenance
ZyWALL 70 User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 25.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 398: Configuring Password
ZyWALL 70 User’s Guide Figure 199 General Setup The following table describes the labels in this screen. Table 144 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long.
Page 399: Pre-Defined Ntp Time Servers List
ZyWALL 70 User’s Guide Figure 200 Password Setup The following table describes the labels in this screen. Table 145 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 400: Configuring Time And Date
ZyWALL 70 User’s Guide Table 146 Default Time Servers ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 25.5 Configuring Time and Date To change your ZyWALL’s time and date, click MAINTENANCE, then the Time and Date tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone.
Page 401: Table 147 Time And Date
ZyWALL 70 User’s Guide The following table describes the labels in this screen. Table 147 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyWALL. Each time you reload this page, the ZyWALL synchronizes the time with the time server.
Page 402: Resetting The Time
ZyWALL 70 User’s Guide Table 147 Time and Date (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a...
Page 403: Introduction To Transparent Bridging
ZyWALL 70 User’s Guide Figure 202 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 203 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.
Page 404: Transparent Firewalls
ZyWALL 70 User’s Guide The bridge gradually builds a host MAC-address-to-port mapping table such as in the following example, during the learning process. Table 148 MAC-address-to-port Mapping Table HOST MAC ADDRESS PORT 00a0c5123456 00a0c5123478 (host A) 1 00a0c512349a 00a0c51234bc 00a0c51234de For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1.
Page 405: Configuring Device Mode
ZyWALL 70 User’s Guide Bridging devices are most useful in complex environments that require a rapid or new firewall deployment. A transparent, bridging firewall can also be good for companies with several branch offices since the setups at these offices are often the same and it's likely that one design can be used for many of the networks.
Page 406: Figure 206 Device Mode (Bridge Mode)
ZyWALL 70 User’s Guide Table 149 Device Mode (Router Mode) (continued) LABEL DESCRIPTION Subnet Mask Enter the IP subnet mask of the ZyWALL. Gateway IP Enter the gateway IP address. Address Apply Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the IP Address field to access the ZyWALL again.
Page 407: F/W Upload Screen
ZyWALL 70 User’s Guide Table 150 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP Server check box selected.
Page 408: Figure 207 Firmware Upload
ZyWALL 70 User’s Guide Figure 207 Firmware Upload The following table describes the labels in this screen. Table 151 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.
Page 409: Configuration Screen
ZyWALL 70 User’s Guide Figure 209 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 410: Backup Configuration
ZyWALL 70 User’s Guide Figure 211 Configuration 25.10.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 411: Figure 212 Configuration Upload Successful
ZyWALL 70 User’s Guide Note: Do not turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 212 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect.
Page 412: Back To Factory Defaults
ZyWALL 70 User’s Guide Figure 214 Configuration Upload Error 25.10.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear.
Page 413: Figure 216 Restart Screen
ZyWALL 70 User’s Guide Figure 216 Restart Screen Chapter 25 Maintenance...
Page 414 ZyWALL 70 User’s Guide Chapter 25 Maintenance...
Page 415: Chapter 26 Introducing The Smt
ZyWALL 70 User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 26.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 416: Entering The Password
ZyWALL 70 User’s Guide Figure 217 Initial Screen Copyright (c) 1994 - 2004 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
Page 417: Main Menu
ZyWALL 70 User’s Guide Table 153 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move to a Press [SPACE Fields beginning with “Edit” lead to hidden menus and have a “hidden” BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes,...
Page 418: Figure 219 Main Menu (Router Mode)
ZyWALL 70 User’s Guide Figure 219 Main Menu (Router Mode) Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
Page 419: Smt Menus Overview
ZyWALL 70 User’s Guide Table 154 Main Menu Summary NO. MENU TITLE FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings and configure the wireless LAN port. Internet Access Setup Configure your Internet Access setup (Internet address, gateway, login, etc.) with this menu.
Page 420 ZyWALL 70 User’s Guide Table 155 SMT Menus Overview (continued) MENUS SUB MENUS 11 Remote Node Setup 11.1 Remote Node Profile 11.1.2 Remote Node Network Layer Options 11.1.4 Remote Node Filter 11.2 Remote Node Profile 11.2.2 Remote Node Network Layer Options 11.2.4 Remote Node Filter...
Page 421: Changing The System Password
ZyWALL 70 User’s Guide Table 155 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and 24.2.1 System Information Console Port Speed 24.2.2 Console Port Speed 24.3 Log and Trace 24.3.1 View Error Log 24.3.2 Syslog Logging...
Page 422: Resetting The Zywall
ZyWALL 70 User’s Guide Figure 221 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER].
Page 423: Smt Menu 1 - General Setup
ZyWALL 70 User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 27.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information.
Page 424: Figure 223 Menu 1: General Setup (Bridge Mode)
ZyWALL 70 User’s Guide Table 156 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
Page 425: Configuring Dynamic Dns
ZyWALL 70 User’s Guide 27.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
Page 426: Figure 225 Menu 1.1.1: Ddns Host Summary
ZyWALL 70 User’s Guide Figure 225 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 427: Figure 226 Menu 1.1.1: Ddns Edit Host
ZyWALL 70 User’s Guide Figure 226 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy:...
Page 428 ZyWALL 70 User’s Guide Table 160 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both.
Page 429: Wan And Dial Backup Setup
ZyWALL 70 User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 28.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
Page 430: Dial Backup
ZyWALL 70 User’s Guide The following table describes the fields in this screen. Table 161 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1/2 MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 431: Advanced Wan Setup
ZyWALL 70 User’s Guide Figure 228 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No...
Page 432: Figure 229 Menu 2.1: Advanced Wan Setup
ZyWALL 70 User’s Guide To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 433: Remote Node Profile (Backup Isp)
ZyWALL 70 User’s Guide Table 164 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 434: Table 165 Menu 11.3: Remote Node Profile (Backup Isp)
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 165 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight characters.
Page 435: Editing Ppp Options
ZyWALL 70 User’s Guide Table 165 Menu 11.3: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Idle Timeout Enter the number of seconds of idle time (when there is no traffic from the ZyWALL to the remote node) that can elapse before the ZyWALL automatically disconnects the PPP connection.
Page 436: Figure 232 Menu 11.3.2: Remote Node Network Layer Options
ZyWALL 70 User’s Guide Figure 232 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only...
Page 437: Editing Login Script
ZyWALL 70 User’s Guide Table 167 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1.
Page 438: Figure 233 Menu 11.3.3: Remote Node Script
ZyWALL 70 User’s Guide You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a ‘Send’...
Page 439: Remote Node Filter
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 168 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Page 440 ZyWALL 70 User’s Guide Chapter 28 WAN and Dial Backup Setup...
Page 441: Chapter 29 Lan Setup
ZyWALL 70 User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 29.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Page 442: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 70 User’s Guide Figure 236 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 29.4 TCP/IP and DHCP Ethernet Setup Menu...
Page 443: Figure 238 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL 70 User’s Guide Figure 238 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0...
Page 444: Ip Alias Setup
ZyWALL 70 User’s Guide Table 170 Menu 3.2: LAN TCP/IP Setup Fields (continued) FIELD DESCRIPTION RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are: Both, In Only, Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M.
Page 445: Wireless Lan Setup
ZyWALL 70 User’s Guide Figure 239 Menu 3.2.1: IP Alias Setup Menu 3.2.1 - IP Alias Setup IP Alias 1= Yes IP Address= 192.168.2.1 IP Subnet Mask= 255.255.255.0 RIP Direction= None Version= RIP-1 Incoming protocol filters= Outgoing protocol filters= IP Alias 2= No...
Page 446: Figure 240 Menu 3.5: Wireless Lan Setup
ZyWALL 70 User’s Guide Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new...
Page 447: Mac Address Filter Setup
ZyWALL 70 User’s Guide Table 172 Menu 3.5: Wireless LAN Setup FIELD DESCRIPTION (Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Threshold Data with its frame size larger than this value will perform the RTS/CTS handshake.
Page 448: Figure 241 Menu 3.5.1: Wlan Mac Address Filter
ZyWALL 70 User’s Guide Figure 241 Menu 3.5.1: WLAN MAC Address Filter Menu 3.5.1 - WLAN MAC Address Filter Active= No Filter Action= Allowed Association MAC Address Filter Address 1= 00:00:00:00:00:00 Address 2= 00:00:00:00:00:00 Address 3= 00:00:00:00:00:00 Address 4= 00:00:00:00:00:00...
Page 449: Chapter 30 Internet Access
ZyWALL 70 User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 30.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 450: Table 174 Menu 4: Internet Access Setup (Ethernet)
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 174 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. You can only configure the WAN 2 port in Menu 11.2 - Remote Node Profile or in the WAN WAN 2 screen via the web configurator.
Page 451: Configuring The Pptp Client
ZyWALL 70 User’s Guide 30.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 452: Basic Setup Complete
ZyWALL 70 User’s Guide Figure 244 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic...
Page 453: Chapter 31 Dmz Setup
ZyWALL 70 User’s Guide H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 31.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup.
Page 454: Ip Address
ZyWALL 70 User’s Guide 31.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 247 Menu 5: TCP/IP Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2.
Page 455: Figure 249 Menu 5.2.1: Ip Alias Setup
ZyWALL 70 User’s Guide Figure 249 Menu 5.2.1: IP Alias Setup Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A...
Page 456 ZyWALL 70 User’s Guide Chapter 31 DMZ Setup...
Page 457: Chapter 32 Route Setup
ZyWALL 70 User’s Guide H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 32.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 250 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 458: Traffic Redirect
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 177 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility.
Page 459: Route Failover
ZyWALL 70 User’s Guide Table 178 Menu 6.2: Traffic Redirect FIELD DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 7.5 on page...
Page 460 ZyWALL 70 User’s Guide Chapter 32 Route Setup...
Page 461: Chapter 33 Remote Node Setup
ZyWALL 70 User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 33.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 462: Ethernet Encapsulation
ZyWALL 70 User’s Guide 33.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next.
Page 463: Pppoe Encapsulation
ZyWALL 70 User’s Guide Table 180 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Retype to Type your password again to make sure that you have entered it correctly. Confirm Server This field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank.
Page 464: Outgoing Authentication Protocol
ZyWALL 70 User’s Guide Figure 256 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name=...
Page 465: Pptp Encapsulation
ZyWALL 70 User’s Guide Table 181 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
Page 466: Edit Ip
ZyWALL 70 User’s Guide Figure 257 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0...
Page 467: Figure 258 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
ZyWALL 70 User’s Guide Figure 258 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A...
Page 468: Remote Node Filter
ZyWALL 70 User’s Guide Table 183 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1.
Page 469: Figure 259 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
ZyWALL 70 User’s Guide Figure 259 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 260 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation)
Page 470 ZyWALL 70 User’s Guide Chapter 33 Remote Node Setup...
Page 471: Chapter 34 Ip Static Route Setup
ZyWALL 70 User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 34.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 472: Figure 262 Menu 12. 1: Edit Ip Static Route
ZyWALL 70 User’s Guide Figure 262 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ?
Page 473: Network Address Translation (Nat)
ZyWALL 70 User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 35.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 474: Figure 263 Menu 4: Applying Nat For Internet Access
ZyWALL 70 User’s Guide Figure 263 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A...
Page 475: Nat Setup
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 185 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
Page 476: Address Mapping Sets
ZyWALL 70 User’s Guide 35.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 266 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 35.2.1.1 SUA Address Mapping Set...
Page 477: User-Defined Address Mapping Sets
ZyWALL 70 User’s Guide Note: Menu 15.1.255 is read-only. Table 186 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 478: Ordering Your Rules
ZyWALL 70 User’s Guide Figure 268 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ---- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0...
Page 479: Figure 269 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 70 User’s Guide Table 187 Fields in Menu 15.1.1 (continued) FIELD DESCRIPTION Action The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule.
Page 480: Configuring A Server Behind Nat
ZyWALL 70 User’s Guide The following table describes the fields in this menu. Table 188 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the...
Page 481: Figure 270 Menu 15.2: Nat Server Sets
ZyWALL 70 User’s Guide Figure 270 Menu 15.2: NAT Server Sets Menu 15.2 - NAT Server Sets 1. Server Set 1 2. Server Set 2 Enter Set Number to Edit: 3 Enter 1 to go to Menu 15.2.1 - NAT Server Setup and configure the address mapping rules for the WAN 1 port.
Page 482: Table 189 15.2.1.2: Nat Server Configuration
ZyWALL 70 User’s Guide Figure 272 15.2.1.2: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1 Index= 2 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 483: General Nat Examples
ZyWALL 70 User’s Guide Figure 273 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None...
Page 484: Figure 275 Nat Example 1
ZyWALL 70 User’s Guide Figure 275 NAT Example 1 Figure 276 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A...
Page 485: Example 2: Internet Access With An Default Server
ZyWALL 70 User’s Guide 35.4.2 Example 2: Internet Access with an Default Server Figure 277 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.
Page 486: Figure 279 Nat Example 3
ZyWALL 70 User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 487: Figure 280 Example 3: Menu 11.1.2
ZyWALL 70 User’s Guide Figure 280 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2...
Page 488: Figure 282 Example 3: Final Menu 15.1.1
ZyWALL 70 User’s Guide Figure 282 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11...
Page 489: Example 4: Nat Unfriendly Application Programs
ZyWALL 70 User’s Guide Figure 283 Example 3: Menu 15.2.1 Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None...
Page 490: Figure 285 Example 4: Menu 15.1.1.1: Address Mapping Rule
ZyWALL 70 User’s Guide Figure 285 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as...
Page 491: Trigger Port Forwarding
ZyWALL 70 User’s Guide 35.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 492: Figure 287 Menu 15.3.1: Trigger Port Setup
ZyWALL 70 User’s Guide Figure 287 Menu 15.3.1: Trigger Port Setup Menu 15.3.1 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------- Real Audio 6970 7170 7070 7070 Press ENTER to Confirm or ESC to Cancel:...
Page 493: Introducing The Zywall Firewall
ZyWALL 70 User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 36.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 494: Figure 289 Menu 21.2: Firewall Setup
ZyWALL 70 User’s Guide Figure 289 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.
Page 495: Chapter 37 Filter Configuration
ZyWALL 70 User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 37.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
Page 496: The Filter Structure Of The Zywall
ZyWALL 70 User’s Guide 37.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 497: Figure 291 Filter Rule Process
ZyWALL 70 User’s Guide Figure 291 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 498: Configuring A Filter Set
ZyWALL 70 User’s Guide 37.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21.
Page 499: Configuring A Filter Rule
ZyWALL 70 User’s Guide Table 191 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP.
Page 500: Configuring A Tcp/Ip Filter Rule
ZyWALL 70 User’s Guide To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Page 501 ZyWALL 70 User’s Guide Table 193 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Destination IP Addr Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr.
Page 502: Configuring A Generic Filter Rule
ZyWALL 70 User’s Guide Figure 295 Executing an IP Filter 37.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 37 Filter Configuration...
Page 503: Figure 296 Menu 21.1.1.1: Generic Filter Rule
ZyWALL 70 User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 504: Example Filter
ZyWALL 70 User’s Guide Table 194 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields.
Page 505: Figure 298 Example Filter: Menu 21.1.3.1
ZyWALL 70 User’s Guide Figure 298 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0...
Page 506: Filter Types And Nat
ZyWALL 70 User’s Guide M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example).
Page 507: Applying A Filter
ZyWALL 70 User’s Guide 37.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 508: Applying Remote Node Filters
ZyWALL 70 User’s Guide Figure 302 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 37.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below –...
Page 509: Chapter 38 Snmp Configuration
ZyWALL 70 User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 38.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 510: Snmp Traps
ZyWALL 70 User’s Guide Table 195 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 511: System Information & Diagnosis
ZyWALL 70 User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 39.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 512: Figure 306 Menu 24.1: System Maintenance: Status
ZyWALL 70 User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 306 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status...
Page 513: System Information And Console Port Speed
ZyWALL 70 User’s Guide Table 197 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left.
Page 514: Console Port Speed
ZyWALL 70 User’s Guide Figure 308 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V3.64(WM.0) | 03/04/2005 Country Code: 255 Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Page 515: Log And Trace
ZyWALL 70 User’s Guide Figure 309 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle.
Page 516: Syslog Logging
ZyWALL 70 User’s Guide Figure 311 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN...
Page 517 ZyWALL 70 User’s Guide Table 199 System Maintenance Menu Syslog Parameters (continued) FIELD DESCRIPTION Log Facility Press [SPACE BAR] and then [ENTER] to select a location. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details.
Page 518 ZyWALL 70 User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 519: Call-Triggering Packet
ZyWALL 70 User’s Guide 39.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 313 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
Page 520: Wan Dhcp
ZyWALL 70 User’s Guide Follow the procedure below to get to Menu 24.4 - System Maintenance - Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 521: Table 200 System Maintenance Menu Diagnostic
ZyWALL 70 User’s Guide Table 200 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below.
Page 522 ZyWALL 70 User’s Guide Chapter 39 System Information & Diagnosis...
Page 523: Firmware And Configuration File Maintenance
ZyWALL 70 User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 40.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its...
Page 524: Backup Configuration
ZyWALL 70 User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 525: Using The Ftp Command From The Command Line
ZyWALL 70 User’s Guide Figure 316 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
Page 526: Example Of Ftp Commands From The Command Line
ZyWALL 70 User’s Guide 40.3.3 Example of FTP Commands from the Command Line Figure 317 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay...
Page 527: Backup Configuration Using Tftp
ZyWALL 70 User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running.
Page 528: Gui-Based Tftp Clients
ZyWALL 70 User’s Guide 40.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 203 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
Page 529: Restore Configuration
ZyWALL 70 User’s Guide Figure 320 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Page 530: Figure 322 Telnet Into Menu 24.6
ZyWALL 70 User’s Guide Figure 322 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation.
Page 531: Restore Using Ftp Session Example
ZyWALL 70 User’s Guide 40.4.2 Restore Using FTP Session Example Figure 323 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 532: Uploading Firmware And Configuration Files
ZyWALL 70 User’s Guide Figure 326 Restore Configuration Example Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 533: Configuration File Upload
ZyWALL 70 User’s Guide Figure 328 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root"...
Page 534: Ftp File Upload Command From The Dos Prompt Example
ZyWALL 70 User’s Guide 40.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username.
Page 535: Tftp Upload Command Example
ZyWALL 70 User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 536: Example Xmodem Firmware Upload Using Hyperterminal
ZyWALL 70 User’s Guide Figure 331 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message.
Page 537: Example Xmodem Configuration Upload Using Hyperterminal
ZyWALL 70 User’s Guide Figure 333 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode.
Page 538 ZyWALL 70 User’s Guide Chapter 40 Firmware and Configuration File Maintenance...
Page 539: System Maintenance Menus 8 To 10
ZyWALL 70 User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 41.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 540: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 336 Valid Commands Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 541: Call Control Support
ZyWALL 70 User’s Guide 41.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Page 542: Call History
ZyWALL 70 User’s Guide Figure 338 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/ Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 543: Time And Date Setting
ZyWALL 70 User’s Guide Figure 339 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 206 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
Page 544: Figure 340 Menu 24: System Maintenance
ZyWALL 70 User’s Guide Figure 340 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
Page 545: Table 207 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 70 User’s Guide Table 207 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 546: Resetting The Time
ZyWALL 70 User’s Guide Table 207 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
Page 547: Chapter 42 Remote Management
ZyWALL 70 User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 42.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.
Page 548: Figure 342 Menu 24.11 - Remote Management Control
ZyWALL 70 User’s Guide Figure 342 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0...
Page 549: Remote Management Limitations
ZyWALL 70 User’s Guide Table 208 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to Client Certificates authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that...
Page 550 ZyWALL 70 User’s Guide Chapter 42 Remote Management...
Page 551: Chapter 43 Ip Policy Routing
ZyWALL 70 User’s Guide H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. 43.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 552: Ip Routing Policy Setup
ZyWALL 70 User’s Guide Table 209 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 210 on page 552 detailed information.
Page 553: Figure 344 Menu 25.1: Ip Routing Policy Setup
ZyWALL 70 User’s Guide 1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary. 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure).
Page 554: Applying Policy To Packets
ZyWALL 70 User’s Guide Table 211 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination addr start / end Destination IP address range from start to end.
Page 555: Ip Policy Routing Example
ZyWALL 70 User’s Guide Figure 345 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 556: Figure 346 Example Of Ip Policy Routing
ZyWALL 70 User’s Guide Figure 346 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next.
Page 557: Figure 348 Ip Routing Policy Example 2
ZyWALL 70 User’s Guide 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 348 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup...
Page 558 ZyWALL 70 User’s Guide Chapter 43 IP Policy Routing...
Page 559: Chapter 44 Call Scheduling
ZyWALL 70 User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 44.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 560: Figure 350 Schedule Set Setup
ZyWALL 70 User’s Guide Figure 350 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes How Often= Once Start Date(yyyy/mm/dd) = 2000 - 01 - 01 Once: Date(yyyy/mm/dd)= 2000 - 01 - 01 Weekdays: Sunday= N/A Monday= N/A...
Page 561: Figure 351 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 70 User’s Guide Table 213 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field.
Page 562: Figure 352 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL 70 User’s Guide Figure 352 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0...
Page 563: Chapter 45 Troubleshooting
ZyWALL 70 User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 564: Problems With The Dmz Interface
ZyWALL 70 User’s Guide Table 215 Troubleshooting the LAN Interface (continued) PROBLEM CORRECTIVE ACTION Cannot ping any Check the 10M/100M LAN LEDs on the front panel. One of these LEDs should computer on the be on. If they are both off, check the cables between your ZyWALL and hub or LAN.
Page 565: Problems With The Wan Interface
ZyWALL 70 User’s Guide 45.4 Problems with the WAN Interface Table 217 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP The ISP provides the WAN IP address after authentication. Authentication may address from the be through the user name and password, the MAC address or the host name.
Page 566: Pop-Up Windows, Javascripts And Java Permissions
ZyWALL 70 User’s Guide Table 218 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the Make sure that there is not an SMT console session running. web configurator. Use the ZyWALL’s WAN IP address when configuring from the WAN. Refer to the instructions on checking your WAN connection.
Page 567: Figure 353 Pop-Up Blocker
ZyWALL 70 User’s Guide 45.5.1.1.1 Disable pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 353 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.
Page 568: Figure 355 Internet Options
ZyWALL 70 User’s Guide 45.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.
Page 569: Javascripts
ZyWALL 70 User’s Guide Figure 356 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 45.5.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 570: Figure 357 Internet Options
ZyWALL 70 User’s Guide Figure 357 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Page 571: Java Permissions
ZyWALL 70 User’s Guide Figure 358 Security Settings - Java Scripting 45.5.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 572: Figure 359 Security Settings - Java
ZyWALL 70 User’s Guide Figure 359 Security Settings - Java 45.5.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected.
Page 573: Figure 360 Java (Sun)
ZyWALL 70 User’s Guide Figure 360 Java (Sun) Chapter 45 Troubleshooting...
Page 574 ZyWALL 70 User’s Guide Chapter 45 Troubleshooting...
Page 575: Product Specifications
ZyWALL 70 User’s Guide Appendix A Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 219 Device Specifications Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool 192.168.1.33 to 192.168.1.160...
Page 576: Table 221 Firmware Features
ZyWALL 70 User’s Guide Table 220 Performance (continued) User Licenses Unlimited Concurrent Sessions 10,000 Simultaneous IPSec VPN Connections Table 221 Firmware Features Modes of Operation Routing/NAT/SUA Mode Transparent Mode Firewall (ICSA Certified) IP Protocol/Packet Filter DoS and DDoS protections Stateful Packet Inspection...
Page 577: Table 222 Feature Specifications
ZyWALL 70 User’s Guide Table 221 Firmware Features (continued) Wireless IEEE 802.11b Compliant IEEE 802.11g Compliant Frequency Range: 2.4 GHz Advanced Orthogonal Frequency Division Multiplexing (OFDM) IEEE 802.1x Authentication (Internal Database and External RADIUS) Store up to 32 built-in user profiles using EAP-MD5 (Internal Database)
Page 578: Table 223 Compatible Zyxel Wlan Cards And Security Features
ZyWALL 70 User’s Guide Table 222 Feature Specifications (continued) FEATURE SPECIFICATION Number of DNS Address Record Entries Number of DNS Name Server Record Entries Compatible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyWALL at the time of writing.
Page 579: Figure 361 Wlan Card Installation
ZyWALL 70 User’s Guide Figure 361 WLAN Card Installation Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port.
Page 580: Figure 363 Ethernet Cable Pin Assignments
ZyWALL 70 User’s Guide Table 224 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD...
Page 581: Removing And Installing A Fuse
ZyWALL 70 User’s Guide Appendix B Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. Note: If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications.
Page 582 ZyWALL 70 User’s Guide Appendix B Removing and Installing a Fuse...
Page 583: Setting Up Your Computer's Ip Address
ZyWALL 70 User’s Guide P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 584: Figure 364 Windows 95/98/Me: Network: Configuration
ZyWALL 70 User’s Guide Figure 364 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 585: Figure 365 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
ZyWALL 70 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 586: Figure 366 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
ZyWALL 70 User’s Guide Figure 366 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
Page 587: Figure 367 Windows Xp: Start Menu
ZyWALL 70 User’s Guide Figure 367 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 368 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Page 588: Figure 369 Windows Xp: Control Panel: Network Connections: Properties
ZyWALL 70 User’s Guide Figure 369 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 370 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 589: Figure 371 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 70 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 371 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 590: Figure 372 Windows Xp: Advanced Tcp/Ip Properties
ZyWALL 70 User’s Guide Figure 372 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 591: Figure 373 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 70 User’s Guide Figure 373 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 592: Figure 374 Macintosh Os 8/9: Apple Menu
ZyWALL 70 User’s Guide Figure 374 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 375 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix C Setting up Your Computer’s IP Address...
Page 593: Figure 376 Macintosh Os X: Apple Menu
ZyWALL 70 User’s Guide 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 594: Figure 377 Macintosh Os X: Network
ZyWALL 70 User’s Guide Figure 377 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box.
Page 595: Ip Subnetting
ZyWALL 70 User’s Guide P P E N D I X IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 596: Table 226 Allowed Ip Address Range By Class
ZyWALL 70 User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
Page 597: Table 228 Alternative Subnet Mask Notation
ZyWALL 70 User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...
Page 598: Table 230 Subnet 1
ZyWALL 70 User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have...
Page 599: Table 232 Subnet 1
ZyWALL 70 User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
Page 600: Table 235 Subnet 4
ZyWALL 70 User’s Guide Table 235 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255...
Page 601: Table 238 Class B Subnet Planning
ZyWALL 70 User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Page 602 ZyWALL 70 User’s Guide Appendix D IP Subnetting...
Page 603: Appendix Epppoe
ZyWALL 70 User’s Guide P P E N D I X PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access...
Page 604: Figure 378 Single-Computer Per Router Hardware Configuration
ZyWALL 70 User’s Guide Figure 378 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
Page 605: Appendix Fpptp
ZyWALL 70 User’s Guide P P E N D I X PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband...
Page 606: Figure 381 Pptp Protocol Overview
ZyWALL 70 User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel.
Page 607: Figure 382 Example Message Exchange Between Computer And An Ant
ZyWALL 70 User’s Guide Figure 382 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 608 ZyWALL 70 User’s Guide Appendix F PPTP...
Page 609: Appendix G Wireless Lans
ZyWALL 70 User’s Guide Appendix G Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS).
Page 610: Figure 384 Basic Service Set
ZyWALL 70 User’s Guide Figure 384 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
Page 611: Figure 385 Infrastructure Wlan
ZyWALL 70 User’s Guide Figure 385 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.
Page 612: Figure 386 Rts/Cts
ZyWALL 70 User’s Guide Figure 386 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 613: Table 239 Ieee802.11G
ZyWALL 70 User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Page 614: Types Of Radius Messages
ZyWALL 70 User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:...
Page 615: Figure 387 Eap Authentication
ZyWALL 70 User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access- Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...
Page 616: Types Of Authentication
ZyWALL 70 User’s Guide 3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP- TTLS, PEAP and LEAP.
Page 617: Wep Authentication Steps
ZyWALL 70 User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.
Page 618: Figure 388 Wep Authentication Steps
ZyWALL 70 User’s Guide Figure 388 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.
Page 619: Table 240 Comparison Of Eap Authentication Types
ZyWALL 70 User’s Guide Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.
Page 620: Table 241 Wireless Security Relational Matrix
ZyWALL 70 User’s Guide The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
Page 621: Figure 389 Roaming Example
ZyWALL 70 User’s Guide In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
Page 622: Requirements For Roaming
ZyWALL 70 User’s Guide Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. 1 All the access points must be on the same subnet and configured with the same ESSID.
Page 623: Triangle Route
ZyWALL 70 User’s Guide P P E N D I X Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 624: Figure 391 "Triangle Route" Problem
ZyWALL 70 User’s Guide Figure 391 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
Page 625: Figure 392 Ip Alias
ZyWALL 70 User’s Guide Figure 392 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 626 ZyWALL 70 User’s Guide Appendix H Triangle Route...
Page 627: Sip Passthrough
ZyWALL 70 User’s Guide P P E N D I X SIP Passthrough The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Page 628: Figure 394 Sip User Agent Server
ZyWALL 70 User’s Guide Table 242 SIP Call Progression (continued) 3. OK 4. ACK 5.Dialogue (voice traffic) 6. BYE 7. OK 1 A sends a SIP INVITE request to B. This message is an invitation for B to participate in a SIP telephone call.
Page 629: Figure 395 Sip Proxy Server
ZyWALL 70 User’s Guide In the following example, you want to use client device A to call someone who is using client device C. 1 The client device (A in the figure) sends a call invitation to the SIP proxy server (B).
Page 630: Figure 396 Sip Redirect Server
ZyWALL 70 User’s Guide Figure 396 SIP Redirect Server SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your user name and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer.
Page 631: Figure 397 Zywall Sip Alg
ZyWALL 70 User’s Guide ZyXEL SIP ALG • SIP clients can be connected to the LAN, WLAN or DMZ. A SIP server must be on the WAN. The WLAN and DMZ are not available on all models. • You can make and receive calls between the LAN and the WAN, between the WLAN and the WAN and/or between the DMZ and the WAN.
Page 632: Signaling Session Timeout
ZyWALL 70 User’s Guide If the primary WAN connection fails, the SIP client needs to re-register with the SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Page 633: Appendix Jvpn Setup
ZyWALL 70 User’s Guide P P E N D I X VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes •...
Page 634: Figure 398 Vpn Rules
ZyWALL 70 User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
Page 635: Figure 399 Headquarters Gateway Policy Edit
ZyWALL 70 User’s Guide Figure 399 Headquarters Gateway Policy Edit The IP address of the branch Appendix J VPN Setup...
Page 636: Figure 400 Branch Office Gateway Policy Edit
ZyWALL 70 User’s Guide Figure 400 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. Appendix J VPN Setup...
Page 637: Figure 401 Headquarters Vpn Rule
ZyWALL 70 User’s Guide Figure 401 Headquarters VPN Rule Figure 402 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. Appendix J VPN Setup...
Page 638: Figure 403 Headquarters Network Policy Edit
ZyWALL 70 User’s Guide Figure 403 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets. Appendix J VPN Setup...
Page 639: Figure 404 Branch Office Network Policy Edit
ZyWALL 70 User’s Guide Figure 404 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
Page 640: Figure 405 Vpn Rule Configured
ZyWALL 70 User’s Guide Figure 405 VPN Rule Configured The following screen displays. Figure 406 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 407 VPN Tunnel Established Appendix J VPN Setup...
Page 641: Vpn Troubleshooting
ZyWALL 70 User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly.
Page 642: Figure 408 Vpn Log Example
ZyWALL 70 User’s Guide Figure 408 VPN Log Example ras> sys log disp ike ipsec .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8...
Page 643: Figure 409 Ike/Ipsec Debug Example
ZyWALL 70 User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 644: Use A Vpn Tunnel
ZyWALL 70 User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
Page 645: Importing Certificates
ZyWALL 70 User’s Guide P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 646: Figure 411 Login Screen
ZyWALL 70 User’s Guide Figure 411 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 412 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix K Importing Certificates...
Page 647: Figure 413 Certificate Import Wizard 1
ZyWALL 70 User’s Guide Figure 413 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 414 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix K Importing Certificates...
Page 648: Figure 415 Certificate Import Wizard 3
ZyWALL 70 User’s Guide Figure 415 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 416 Root Certificate Store Appendix K Importing Certificates...
Page 649: Figure 417 Certificate General Information After Import
ZyWALL 70 User’s Guide Figure 417 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 650: Figure 418 Zywall Trusted Ca Screen
ZyWALL 70 User’s Guide Figure 418 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 651: Figure 419 Ca Certificate Example
ZyWALL 70 User’s Guide Figure 419 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 652: Figure 420 Personal Certificate Import Wizard 1
ZyWALL 70 User’s Guide Figure 420 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.
Page 653: Figure 422 Personal Certificate Import Wizard 3
ZyWALL 70 User’s Guide Figure 422 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 423 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Page 654: Figure 424 Personal Certificate Import Wizard 5
ZyWALL 70 User’s Guide Figure 424 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 425 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 655: Figure 427 Ssl Client Authentication
ZyWALL 70 User’s Guide Figure 427 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 428 ZyWALL Secure Login Screen Appendix K Importing Certificates...
Page 656 ZyWALL 70 User’s Guide Appendix K Importing Certificates...
Page 657: Command Interpreter
ZyWALL 70 User’s Guide P P E N D I X Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 658 ZyWALL 70 User’s Guide Appendix L Command Interpreter...
Page 659: Appendix M Firewall Commands
ZyWALL 70 User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. See Appendix L on page 657 for information on the command structure. Table 243 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up This command turns the firewall on or off.
Page 660 ZyWALL 70 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 661 ZyWALL 70 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 662 ZyWALL 70 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set...
Page 663 ZyWALL 70 User’s Guide Table 243 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 664 ZyWALL 70 User’s Guide Appendix M Firewall Commands...
Page 665: Netbios Filter Commands
ZyWALL 70 User’s Guide P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix L on page 657 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 666: Table 244 Netbios Filter Default Settings
ZyWALL 70 User’s Guide The filter types and their default settings are as follows. Table 244 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN.
Page 667 ZyWALL 70 User’s Guide This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off Appendix N NetBIOS Filter Commands...
Page 668 ZyWALL 70 User’s Guide Appendix N NetBIOS Filter Commands...
Page 669: Certificates Commands
ZyWALL 70 User’s Guide P P E N D I X Certificates Commands The following describes the certificate commands. See Appendix L on page 657 information on the command structure. All of these commands start with certificates. Table 245 Certificates Commands...
Page 670 ZyWALL 70 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 671 ZyWALL 70 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models.
Page 672 ZyWALL 70 User’s Guide Table 245 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
Page 673: Appendix P Brute-Force Password Guessing Protection
ZyWALL 70 User’s Guide P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered.
Page 674 ZyWALL 70 User’s Guide Appendix P Brute-Force Password Guessing Protection...
Page 675: Appendix Q Boot Commands
ZyWALL 70 User’s Guide P P E N D I X Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 676: Figure 430 Boot Module Commands
ZyWALL 70 User’s Guide Figure 430 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show...
Page 677: Appendix R Log Descriptions
ZyWALL 70 User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 247 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
Page 678: Table 248 System Error Logs
ZyWALL 70 User’s Guide Table 247 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router is saving configuration changes. Configuration Change: PC = 0x%x, Task ID = 0x%x Someone has logged on to the router’s SSH server. Successful SSH login Someone has failed to log on to the router’s SSH server.
Page 679: Table 249 Access Control Logs
ZyWALL 70 User’s Guide Table 249 Access Control Logs LOG MESSAGE DESCRIPTION Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access Firewall default policy: [ TCP | matched the default policy and was blocked or forwarded UDP | IGMP | ESP | GRE | OSPF ] according to the default policy’s setting.
Page 680: Table 251 Packet Filter Logs
ZyWALL 70 User’s Guide Table 250 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when the number of Exceed MAX incomplete, incomplete connections (TCP and UDP) exceeded the user- sent TCP RST configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of...
Page 681: Table 253 Cdr Logs
ZyWALL 70 User’s Guide Table 253 CDR Logs LOG MESSAGE DESCRIPTION The router received the setup requirements for a call. “call” is board %d line %d channel %d, the reference (count) number of the call. “dev” is the device call %d, %s C01 Outgoing Call type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP).
Page 682: Table 257 Attack Logs
ZyWALL 70 User’s Guide Table 256 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION %s: Forbidden Web site The web site is in the forbidden web site list. The web site contains ActiveX. %s: Contains ActiveX The web site contains a Java applet.
Page 683: Table 258 Remote Management Logs
ZyWALL 70 User’s Guide Table 257 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected an ICMP IP spoofing attack on the WAN port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP echo attack. icmp echo : ICMP (type:%d, code:%d) The firewall detected a TCP syn flood attack.
Page 684: Table 259 Wireless Logs
ZyWALL 70 User’s Guide Table 258 Remote Management Logs LOG MESSAGE DESCRIPTION Remote Management: WWW denied Attempted use of WWW service was blocked according to remote management settings. Remote Management: HTTPS denied Attempted use of HTTPS service was blocked according to remote management settings.
Page 685: Table 261 Ike Logs
ZyWALL 70 User’s Guide Table 260 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time out, inbound traffic for a certain time period. You can use the "ipsec timer disconnect chk_conn"...
Page 686 ZyWALL 70 User’s Guide Table 261 IKE Logs (continued) LOG MESSAGE DESCRIPTION The displayed ID information did not match between the two Peer ID: <peer id> <My remote ends of the connection. type> -<My local type> The displayed ID information did not match between the two vs.
Page 687 ZyWALL 70 User’s Guide Table 261 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer. mode mismatch The listed rule’s IKE phase 1 encryption algorithm did not Rule [%d] Phase 1 encryption match between the router and the peer.
Page 688: Table 262 Pki Logs
ZyWALL 70 User’s Guide Table 261 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES...
Page 689: Table 263 Certificate Path Verification Failure Reason Codes
ZyWALL 70 User’s Guide Table 262 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received directory data that was too large (the size is listed) Rcvd data <size> too from the LDAP server whose address and port are recorded in the large! Max size Source field.
Page 690: Table 264 802.1X Logs
ZyWALL 70 User’s Guide Table 263 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 264 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database.
Page 691: Table 265 Acl Setting Notes
ZyWALL 70 User’s Guide Table 265 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.
Page 692: Table 267 Syslog Logs
ZyWALL 70 User’s Guide Table 266 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request...
Page 693: Figure 431 Displaying Log Categories Example
ZyWALL 70 User’s Guide The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 268 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal...
Page 694: Figure 432 Displaying Log Parameters Example
ZyWALL 70 User’s Guide Figure 432 Displaying Log Parameters Example ras> sys logs category access Usage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/ 1:show debug type] 4 Use followed by a log category and a parameter to decide what to sys logs category record.
Page 695: Log Command Example
ZyWALL 70 User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Page 696 ZyWALL 70 User’s Guide Appendix R Log Descriptions...
Page 697: Index
ZyWALL 70 User’s Guide Index Numerics 10/100 Mbps Ethernet WAN Backup 410, 524 110V AC Backup WAN 230V AC Bandwidth Borrowing Bandwidth Class Bandwidth Filter 325, 336 Bandwidth Management 51, 325 Bandwidth Management Statistics Bandwidth Manager Class Configuration Abnormal Working Conditions...
Page 698 ZyWALL 70 User’s Guide Channel ID 116, 446 Default CHAP 434, 465 Defective Charge Denial of Service 168, 169, 198, 493 Circuit Denial of Services Thresholds Class B Denmark, Contact Information Client-server Protocol Command Interpreter Mode Destination Address Command Line...
Page 699 ZyWALL 70 User’s Guide Enable Wireless LAN Custom Ports See Custom Ports Firewall Vs Filters Encapsulating Security Payload (ESP) Guidelines For Enhancing Security Encapsulation 450, 462, 466 Introduction Encryption 229, 619 Policies Entering Information Rule Logic Equal Value Services SMT Menus...
Page 700 ZyWALL 70 User’s Guide Host 399, 427 IP Multicast Internet Group Management Protocol (IGMP) Host IDs IP Policy Routing How SSH works IP Pool 97, 443 How STP Works IP Pool Setup HTTP 167, 169, 307 IP Ports HTTPS 52, 354...
Page 701 ZyWALL 70 User’s Guide Local Nailed-up Connection Nailed-Up Connections Log Facility 94, 307, 308, 436, 437, 467, 468, 506 Application Logging Applying NAT in the SMT Menus Login Name Configuring Login Screen Definitions Examples How NAT Works Mapping Types NAT Unfriendly Application Programs...
Page 702 ZyWALL 70 User’s Guide Packet Filtering Firewalls Pairwise Master Key (PMK) 434, 465 Qualified Service Personnel Parts Quality of Service Password 398, 416, 421, 450, 509 Quick Start Guide Patent Path cost PCMCIA Port Perfect Forward Secrecy Period(hr) 434, 465...
Page 703 ZyWALL 70 User’s Guide Reset Button Scheduler 327, 332 Resetting the Time 402, 546 Schedules 465, 466 Resetting the ZyWALL Secure FTP Using SSH Example Restore 6, 410 Secure Telnet Using SSH Example Restore Configuration Security Parameters retry count Security Ramifications...
Page 704 ZyWALL 70 User’s Guide Process Temporal Key Integrity Protocol (TKIP) ZyWALL Terminal Emulation Static Route TFTP STP (Spanning Tree Protocol) File Upload GUI-based Clients STP Port States TFTP and FTP over WAN STP See Spanning Tree Protocol TFTP Restrictions 353, 526, 549...
Page 705 ZyWALL 70 User’s Guide www.dyndns.org Value Vendor Ventilation Slots Viewing Certifications Xmodem Virtual Private Network File Upload Voltage Supply XMODEM Protocol Voltage, High encapsulation keep alive key management secure gateway ZyNOS 3, 514, 524 VPN Application 56, 230 ZyNOS F/W Version...

ZyXEL Communications ZyWall 70 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 LAN Screens

Chapter 5 Bridge Screens

Chapter 6 Wireless LAN

Chapter 7 WAN Screens

Chapter 8 DMZ Screens

Chapter 9 Firewalls

Chapter 10 Firewall Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall 70

Summary of Contents for ZyXEL Communications ZyWall 70